CareFirst Administrators Impacted By Phishing Scam at RCM Vendor

December 12, 2022 - CareFirst Administrators (CFA) notified 14,538 individuals of a phishing scam that occurred at Conifer Revenue Cycle Solutions, a provider of revenue cycle management services to healthcare organizations. The incident potentially impacted some members’ health information.

In March 2022, Conifer discovered that an unauthorized party had gained access to certain Microsoft Office 365-hosted business email accounts via a phishing scam. Upon discovery, Conifer said it acted to prevent further unauthorized activity.

The unauthorized party accessed the accounts between March 17 and March 22. Conifer notified CFA of the incident on June 23 and later determined that one of the impacted email accounts contained CFA member information.

The account included names, addresses, health insurance information, dates of birth, medical information, and billing and claims information. Some Social Security numbers were also impacted by the phishing attack.

“Conifer assured CFA that it has and continues to enhance its security controls and monitoring practices as appropriate to minimize the risk of any similar incident in the future,” CFA’s notice stated.

READ MORE: Conway Regional Medical Center Reaches $295K Settlement Over Healthcare Data Breach

“CFA and Conifer sincerely regret that this incident occurred and apologize for any inconvenience this incident may have caused.”

Receivables Performance Management Breach Impacts 3.7M Individuals

Receivables Performance Management (RPM) reported a ransomware attack to the Maine Attorney General’s Office that impacted 3.7 million individuals. RPM is a Washington-based debt collection company that provides accounts receivable management services to a variety of industries, including healthcare.

RPM discovered a data security incident in May 2021 and immediately took its systems offline. In the following 36 hours, the company “rebuilt its shared servers from the ground up,” the notice explained.

Further investigation determined that an unauthorized party had accessed RPM’s systems on April 8 and deployed ransomware on May 12, 2021.

“While the findings of the forensic investigation were not conclusive, the data security incident may have resulted in unauthorized access to and/or acquisition of certain data on RPM’s systems,” the notice stated.

READ MORE: KLAS: Security is a Top Factor in Public Cloud Adoption For HIT Vendors

“As a result, in an abundance of caution, RPM began undertaking extensive efforts to gather and review this data to identify the presence of any personal information.”

RPM described these efforts as “extensive” due to the complexities of its server infrastructure. The process concluded in October 2022 and determined that Social Security numbers and other personal information were impacted by the ransomware attack.

“Please be advised that RPM is continuing to work closely with leading security experts to identify and implement measures to further strengthen the security of their systems to help prevent this from happening in the future,” RPM stated.

Suncoast Skin Solutions Provides Additional Information About 2021 Breach

A notice provided to the Maine Attorney General’s Office shed additional light on a 2021 breach at Suncoast Skin Solutions that impacted 75,992 individuals. The Florida dermatology practice first detected unusual activity on its network on July 14, 2021.

A forensic investigation found evidence that an unauthorized actor had accessed some of Suncoast’s files. Further review of its systems concluded in November 2021 and determined that some legacy patient information was impacted. Suncoast provided a substitute notice on its website and to local media outlets in January 2022 while it continued to investigate the incident internally.

READ MORE: HC3 Explores Cybersecurity Implications of Automation in Healthcare

“Due to the nature and size of the potentially impacted data, the data mining process occurred from December to October 2022,” Suncoast explained.

On November 28, Suncoast finalized its list of impacted individuals to notify and determined what information was implicated in the breach. Suncoast said it has no evidence that any sensitive information has been misused by third parties as a result of the incident.

“Since the discovery of the incident, Suncoast moved quickly to investigate, respond, and confirm the security of our systems,” the notice explained.

“Specifically, Suncoast disconnected all access to its network, changed all employee credentials, added logon hour restrictions for all hourly employees, increased its password complexity, enhanced its security measures, and took steps and will continue to take steps to mitigate the risk of future harm.”

Unauthorized Party Copies Files at San Gorgonio Memorial Hospital

San Gorgonio Memorial Hospital in Banning, California notified patients of a data breach. The hospital discovered that an unauthorized party had gained access to its network between October 29 and November 10, 2022. The unauthorized party copied some documents on the hospital’s system during that time.

The documents contained names, addresses, medical record numbers, visit ID numbers, health insurance information, clinical information, and dates of birth. The investigation is ongoing, but the hospital said it would update patients if it discovered that any additional information was involved in the incident, such as financial account information or government-issued ID numbers.

Upon discovery of the breach on November 10, San Gorgonio Memorial Hospital said it immediately initiated its incident response protocols and isolated select systems. The hospital encouraged patients to review statements they receive from their healthcare providers and insurers.