Data Breach at Debt Collection Agency Impacts Multiple Healthcare Providers

May 22, 2023 - R&B Corporation of Virginia, also known as Credit Control Corporation (CCC), reported a data breach to the Maine Attorney General’s Office that impacted more than 286,000 individuals. CCC is a business associate to a variety of healthcare organizations.

On March 7, CCC discovered unusual activity within its network and promptly isolated the impacted systems. CCC later determined that an unauthorized party had copied some files from its system between March 2 and March 7.

The breach involved names, Social Security numbers, addresses, and information relating to the individual’s account with the associated healthcare organization, such as account balances and dates of service.

The breach impacted patients associated with the following healthcare organizations:

• Sentara Health System
• Riverside Health System
• UVA Health System
• Bayview Physicians Group
• Pariser Dermatology Specialists, Inc
• Valley Health System
• Dominion Pathology Laboratories
• Chesapeake Radiology
• Children’s Hospital of the King’s Daughters Health System and its Affiliates
• VCU Health System
• Chesapeake Regional Medical Center
• Mary Washington Healthcare
• Tidewater Physicians Multispecialty Group

CCC encouraged impacted individuals to remain vigilant against identity theft and fraud.

IL Department of Human Services Reports Breach

The Illinois Department of Healthcare and Family Services (HFS) and the Illinois Department of Human Services (IDHS) reported a breach to HHS that impacted 40,839 individuals. Th breach occurred within the State of Illinois Application for Benefits Eligibility (ABE) system’s Manage My Case (MMC) portal.

The ABE system is the state’s eligibility system for state-funded programs such as Medicaid and the Supplemental Nutrition Assistance Program (SNAP). In March 2023, the departments discovered that suspicious user accounts had been created within the ABE system.

“These suspicious accounts were able to link to existing customer MMC accounts by providing the customer’s date of birth and Individual ID or Social Security Number, and then correctly answering several identity proofing questions,” the notice stated.

“The Departments believe customer personal information had been stolen elsewhere - through no fault of the Departments - and this stolen personal information was then used to access customer MMC accounts.”

The information potentially viewed within the MMC portal included names, phone numbers, dates of birth, addresses, Social Security numbers, benefits applied for and received, and income information. Documents uploaded to support benefits applications may have also been viewed.

In response, the departments de-linked the suspicious accounts and implemented new software to prevent the creation of additional suspicious accounts.

Clarke County Hospital Suffers Data Breach

Iowa-based Clarke County Hospital (CCH) recently notified patients of a data breach that potentially exposed personal information. On April 14, 2023, CCH suffered a network security incident in which an unauthorized party gained access to its network environment.

CCH immediately shut off all network access and engaged a forensic incident response firm to secure the network. The hospital found no evidence that patient information had been misused but encouraged impacted individuals to monitor accounts.

The breach involved names, dates of birth, addresses, medical record numbers, health insurance information, and certain health information.

“We have made immediate enhancements to our systems, security and practices,” the notice stated. “Additionally, we have engaged appropriate experts to assist us in conducting a full review of our security practices and systems to ensure that enhanced security protocols are in place going forward. We are committed to helping those people who may have been impacted by this unfortunate situation.”