Highmark Health, WellDyneRx, Others Report Healthcare Data Breaches

July 13, 2022 - Healthcare data breaches continue to overwhelm the sector in the latter half of the year, with organizations reporting ransomware attacks, third and fourth-party breaches, and unauthorized network access.

Highmark Health Reports Fourth-Party Vendor Breach

Pittsburgh, Pennsylvania-based Highmark Health, a large integrated healthcare delivery and financing system, reported a fourth-party vendor breach that impacted certain Highmark files.

The breach originated between August and October 2021 at Quantum Group, a printing and mailing services vendor. Quantum Group’s services are used by WebbMason, a company that Highmark Health had engaged for marketing services.

Highmark Health’s breach notice explained that WebbMason received notification of the breach in December 2021 and learned that a bad actor had accessed Quantum Group’s network without authorization and acquired certain files.

In January 2022, WebbMason confirmed that the bad actor had accessed data “provided to Quantum in 2017 as part of the services performed by WebbMason on behalf of Highmark.”

The files related to provider mailings regarding prescription drug changes, including names, birth dates, Highmark member IDs, and prescription information.

“WebbMason and Highmark have taken steps to notify all impacted individuals and offer those individuals credit monitoring,” the notice stated.

“Additionally, Highmark will be providing impacted members with enhanced fraud monitoring on their Highmark account.”

Carolina Behavioral Health Alliance Ransomware Attack Impacts 131K

Carolina Behavioral Health Alliance (CBHA) reported a breach to the Office for Civil Rights (OCR) that impacted 130,922 individuals. CBHA is a business associate that contracts with organizations to manage certain medical benefits for the organizations’ health plan participants, its website notice stated.

The organization notified clients LiveWELL Health Plan, Wake Forest University Baptist Medical Center and Affiliates Employee Benefits Plan, and Wake Forest University Health and Welfare Benefit Plan of the incident in May.

CBHA said it detected and stopped a “sophisticated ransomware attack” in which an unauthorized party accessed and disabled some of its systems. While the unauthorized actor had access to CBHA’s network, they potentially accessed names, birth dates, dates of service, addresses, provider names, level of care, Social Security numbers, and health plan identification information.

“Data security is one of CBHA’s highest priorities,” the notice stated. “Since the incident, CBHA wiped and rebuilt affected systems and has taken steps to bolster its network security. CBHA also reviewed and altered its policies, procedures, and network security software relating to the security of systems and servers, as well as how data is stored and managed.”

2021 Email Account Breach at WellDyneRx Impacts 38K

WellDyneRx reported a healthcare data breach that impacted 38,401 individuals. Although WellDyne discovered the breach on December 2, 2021, the company later determined that an unauthorized actor had accessed a WellDyne email account between October 30 and November 11.

The breach impacted certain individuals whom WellDyne had provided pharmacy benefit-related services to. Although there was no evidence that sensitive information was accessed or taken by the unauthorized party, WellDyne was unable to rule out the possibility.

The email account included names, Social Security numbers, treatment information, health insurance information, contact information, prescription information, driver’s license numbers, dates of birth, and other medical information.

“The confidentiality, privacy, and security of personal information within our care is among our highest priorities,” WellDyne’s notice stated.

“Upon learning of the event, we secured the compromised account and investigated to identify any individuals that were affected. We have taken additional steps to improve security and better protect against similar incidents in the future.”

Michigan Avenue Immediate Care Notifies 144K of Unauthorized Access

Michigan Avenue Immediate Care (MAIC), an urgent care center in Chicago, Illinois, notified 144,104 individuals of a data breach involving unauthorized access to its systems.

On May 1, MAIC discovered that an unauthorized party gained access to its network and obtained certain files. MAIC said it immediately contained the incident and secured its network. The notice explained that there was no evidence that any of the information had been used to commit fraud or identity theft at the time of publication.

The potentially accessed files contained names, phone numbers, birth dates, Social Security numbers, driver’s license numbers, addresses, treatment information, and health insurance information.

“MAIC takes its responsibility to safeguard personal information seriously and apologizes for any inconvenience or concern this incident might cause,” the notice explained.