News

Healthcare Cyberattacks, Vendor Mishaps Result in PHI Exposure

Third-party vendor errors and healthcare cyberattacks continue to jeopardize patient privacy and cause PHI exposure.

Healthcare Cyberattacks, Vendor Mishaps Result in PHI Exposure

Source: Getty Images

By Jill McKeon

- Whether PHI exposure results from healthcare cyberattacks, employee errors, or vendor mistakes, the consequences of a healthcare data breach can be detrimental to patient privacy and security.

Data breaches can also have legal and reputational consequences for impacted organizations as victims continue to take legal action, often alleging that negligence and improper security measures caused a preventable breach.

Accellion reached an $8.1 million settlement to resolve a class-action lawsuit after a December 2020 data breach involving zero-day vulnerabilities in the company’s File Transfer Appliance (FTA) which impacted millions of individuals.

BioPlus Specialty Pharmacy and EHR vendor QRS are also facing lawsuits in the wake of recent data breaches.

The most recent data breaches reported to HHS involved vendor mix-ups and malicious cyberattacks, both of which resulted in potential PHI exposure.

Ravkoo Pharmacy Suffers AWS Portal Breach

READ MORE: Russian Intelligence Agency Arrests REvil Ransomware Gang Members

Florida-based online pharmacy Ravkoo began notifying patients of a September 2021 cyberattack that impacted 105,000 individuals. The digital SaaS prescription fulfillment platform noticed suspicious activity on its AWS-hosted portal and determined that a third party had tried to infiltrate the portal.

The pharmacy’s website notice does not get into specifics about what protected health information (PHI) was involved but noted that “certain prescription and health information could have been compromised.”

“Notably, we have found no evidence that any individual’s Social Security Number was accessed or compromised as Ravkoo does not maintain this information within the impacted portal,” the notice continued. 

“Further, Ravkoo does not have any evidence to indicate that any information involved in the incident has been or will be misused as a result of this incident.”

Ravkoo worked with forensic experts to increase the security of its AWS-hosted portal and reported the cyberattack to the Federal Bureau of Investigation (FBI) and HHS. Ravkoo recommended that impacted patients look into obtaining a copy of their credit reports, placing a security freeze on their credit reports, and setting up fraud alerts as an extra precaution.

Revenue Cycle Management Company Faces Patient Data Exposure

READ MORE: Accellion Settles Class-Action Lawsuit for $8.1M Following Data Breach

Healthcare revenue cycle management company Practolytics issued a press release to alert 1,107 individuals of a data security incident that occurred on November 30, 2021.

“A client-generated report containing COVID testing appointment information, which would normally be deactivated following initial download, remained active,” Practolytics stated.

The company said it took immediate steps to delete and deactivate the download link and engaged external cybersecurity experts to conduct an investigation.

The PHI of both minors and adults may have been exposed, including names, birth dates, genders, addresses, Social Security numbers, email addresses, appointment dates and type, insurance information, and provider names.  

Practolytics began notifying impacted individuals on January 13.

READ MORE: Family Medicine Practice Notifies Patients of Data Breach 1 Year Later

“The security of information is our top priority at Practolytics, and we are committed to safeguarding data and privacy,” the notice concluded.

“We deeply regret any worry or inconvenience that this matter may cause.”

Vendor Printing Issue Leads to Data Breach For CA Health Plan

Oscar Health Plan of California began notifying patients of a vendor printing issue that resulted in a healthcare data breach. In late November, Oscar discovered that mail intended for some Oscar members may have been accidentally misrouted to another member.

The unintended recipient may have viewed names, Oscar ID numbers, provider information, dates of service, procedure names, plan names, and claim numbers. It is unclear how many individuals were impacted by the breach.

Oscar said it took steps to remediate the issue with its printing vendor and subsequently re-sent the mailings to the intended recipients.

“The latest in a string of healthcare data breaches to hit the headlines, this unfortunate case shows us that ransomware and cyberattacks are far from the only issue facing healthcare CISOs. Data breaches caused by human error are a major problem in the industry,” Tony Pepper, CEO and co-founder of cybersecurity company Egress, commented in an email to HealthITSecurity regarding the Oscar breach.

“Due to the nature of Protected Health Information, these breaches can have a significant personal impact on the people involved. The costs for healthcare organizations can also be severe, with an increasing number of data subjects choosing to pursue class action lawsuits against organizations that have breached their data. It’s time for organizations to show they take data privacy seriously and ensure that they have intelligent technology in place to protect sensitive data. Healthcare organizations have access to some of their patients’ most sensitive personal information, and they have a duty to protect it."

Medical Review Institute of America Breach Impacts 134K

On behalf of some of its customers, Medical Review Institute of America (MRIoA) began notifying patients of a healthcare data breach that impacted 134,571 individuals.

MRIoA, which provides clinical peer review services for some of the country’s largest health plans, self-insured employers, and government entities, discovered that it was the target of a sophisticated cyberattack on November 9, 2021.

The institute immediately engaged third-party investigators and contacted the FBI. On November 12, MRIoA determined that an unauthorized party had acquired patient PHI.

The exposed information may have included contact and demographic information, Social Security numbers, clinical information, and financial information.

On November 16, MRIoA retrieved the stolen data and confirmed the deletion of the information to the best of its ability, the notice explained. The investigation is ongoing.

“The security and privacy of the information contained within our systems is a top priority for us, and we were shocked and dismayed to learn that we were one of the thousands of victims of this type of cyberattack.” Ron Sullivan, CEO of MRIoA, explained in the notice.

“We are fully committed to protecting the information on our systems and sincerely regret the inconvenience and worry caused by this incident. We thank the community, our employees, and partners for their support during this event.”

MRIoA said it implemented additional cybersecurity safeguards since the event, including threat detection software, additional authentication protections, and completely new servers. MRIoA urged impacted individuals to remain vigilant and offered complimentary credit monitoring and identity protection services to victims.