- Sharecare Health Data Services (SHDS) recently notified AltaMed Health Services and California Physicians Service (dba Blue Shield of California) of a network hack that potentially breached the data of thousands of their patients.
Sharecare provides the two covered entities with medical records management services.
On December 31, Sharecare notified AltaMed of a network hack that officials first discovered on June 22, 2018. An investigation determined the hack began a month earlier on May 21, 2018. As a result, some data from its covered entities, AltaMed and BSC, was accessed and or acquired by the hacker.
For BSC, the breach also began on May 21, but it was not discovered until June 26, 2018. According to the notice, “an unknown third party was able to access its servers, which contained your personal information and transfer that data to locations outside of the United States.”
Once discovered, Sharecare officials “took immediate steps to prevent further access.” They also hired a third-party forensics team to help with the investigation and retained a third-party to “implement 24/7 monitoring of its data systems, refined its data retention policies and improved its maintenance communications and protocols to ensure continuity across its network.”
The compromised data included patient names, addresses, dates of birth, and unique identification numbers. For some patients, the hacker also accessed the names and addresses where the patient received health services, along with medical records numbers, and or SDHS processing notes.
No Social Security numbers, driver’s licenses, clinical medical information, or banking and credit card data was compromised. All patients will be provided a year of free credit monitoring.
“This incident was not the result of any action or inaction by AltaMed and did not affect the integrity or security of AltaMed’s digital environment,” AltaMed officials said in a statement. “Since learning of this incident, has worked diligently to identify those AltaMed patients whose information may have been affected for purposes of notification.”
The security incident is not yet posted on the Department of Health and Human Services’ breach reporting tool, so it’s not yet known the total number of patients impacted.
AltaMed began notifying patients of the breach on February 15. According to its notice to the California Attorney General, 5,767 residents of California were impacted by the Sharecare breach. BSC has continued to work with Sharecare to ensure the business associate has bolstered its cybersecurity protections to meet BSC standards.
Third-party vendor and business associate breaches continue to be problematic for the healthcare sector. In fact, the largest breach of 2018 was caused by a third-party vendor hack on AccuDoc Solutions, breaching the data of 2.65 million Atrium Health patients.
As cyberattacks can cause upwards of $1.4 million on average in recovery, building a secure vendor management relationship is crucial to reducing business associate risks with strong contracts and annual risk assessments.