Hacking incident at billing vendor affects 270,000 patients

June 21, 2018

A hacking incident at a claims processing company in New York has impacted 270,000 patients of 42 physician practices, which means it likely is one of the largest health data breaches so far this year.

In a June 14 statement, Med Associates, based in Albany, New York, says that on March 22, the company became aware of “unusual activity relating to an employee’s workstation occurring that same day.”

The claims processing company says it immediately began investigating the incident with its IT vendor and subsequently retained a forensic investigation firm to assist.

“It was determined that the unauthorized party accessed the workstation and through that, may have had access to certain personal and protected information,” the statement says.

While the investigation is ongoing, Med Associates says it has determined that information on 270,000 patients which may have been accessible from the workstation includes patient names, dates of birth, addresses, dates of service, diagnosis codes, procedure codes, and insurance information, including insurance ID numbers.

“There was no banking or credit card information contained on or accessible from the workstation,” the company says. “Additionally, we are currently not aware of any misuse of patients’ protected health and/or personal information.”

The vast majority of affected patients are based in New York, but some individuals in Massachusetts, Vermont, and Florida were also notified of the incident, Cathy Alvey, Med Associates president, tells Information Security Media Group.

Alvery says that the organization—in addition to notifying patients—has notified “regulatory agencies … as deemed appropriate by our legal team.” That includes the Department of Health and Human Services.

As of June 20, the incident was not yet posted on HHS’ Office for Civil Rights’ HIPAA Breach Reporting Tool website. Commonly called the “wall of shame,” the website lists health data breaches impacting 500 or more individuals.

If HHS confirms the details of the breach and adds it to the tally, it would be one of the largest breaches added so far this year.

Alvey notes that Med Associates’ clients were given an opportunity to review its response and provide approval for Med Associates to notify required parties on their behalf. “Med Associates, as a business associate to the covered entities, notified the covered entities within 60 days of the [March 22] discovery,” she adds.

Alvey did not provide ISMG with details about the nature of the hacking. But she said the attack did not involve ransomware or phishing.

Alvey also tells ISMG that there was no evidence that the company’s claim processing software was accessed and no malware was noted on its servers. “Through access to the workstation, the intruder could have potentially accessed claim submission files residing on our network. There was no evidence that they did. The notification was prompted by the fact that we are unable to definitively rule out the possibility that those claim submission files could have been accessed,” she says.

In its statement, Med Associates reports that in the aftermath of the incident, it immediately secured the impacted workstation, implemented even more stringent information security standards and increased staff training on data privacy and security.

The company is providing patients affected by the breach one year of free credit monitoring and identity restoration.

ISMG has the full article