Third-Party Vendor Ransomware Attack Impacts Humana, Anthem Members

October 27, 2021 - Both Humana and Anthem began notifying members that their protected health information (PHI) had been exposed following a ransomware attack on billing and IT solutions vendor PracticeMax.

Humana and Anthem use PracticeMax to share information with Village Health, a provider that helps patients with end-stage kidney disease. Village Health provides care coordination between dialysis centers, providers, and nephrologists. Humana stated that over 4,000 patients were impacted, and it remains unclear how many Anthem members were exposed.

PracticeMax discovered the breach on May 1. Further investigation revealed that the ransomware attack had occurred between April 17 and May 5. The vendor restored its systems by May 6 but determined that an unauthorized actor had accessed and stolen files containing PHI.

Accessed information may have included first and last names, birth dates, phone numbers, member ID numbers, clinical data pertaining to kidney care services, and addresses. No financial information was included in the attack.

“PracticeMax is committed to safeguarding your personal information. Upon learning of the incident, PracticeMax moved quickly to confirm the security of their systems. As part of PracticeMax’s ongoing commitment to the privacy of information in our care, we reviewed our existing policies and procedures and implemented additional safeguards to further secure the information in our systems,” the vendor’s statement explained.

“These included rebuilding systems, enhancing firewalls, and installing additional endpoint software, among other things. We also notified regulatory authorities and law enforcement.”

PracticeMax said it did not have reason to believe that any personal information would be mishandled because of the incident. However, the vendor recommended that impacted individuals review Explanation of Benefit (EOB) letters, SmartSummary statements, and medical records for suspicious activity.

Impacted individuals will receive free credit monitoring services for the next two years.

Third-party vendors and business associates continue to be prime targets for ransomware attacks, pointing to a need to secure the entire healthcare supply chain.

“You can do all the diligence in the world in terms of making them fill out questionnaires and asking them for documentation and interviewing their people and getting them to sign documents that say they're following their procedures and then low and behold, they don't follow them. And not only are you impacted but your customers are impacted as well,” Mac McMillan, CEO of CynergisTek, previously told HealthITSecurity.

The HIPAA Security Rule requires covered entities to enter into a business associate agreement (BAA) with any third-party vendor that performs services on the entity’s behalf. The agreement holds business associates to the same HIPAA standards as the covered entity, ensuring that patient PHI is safe.

However, recent research from Forrester Consulting on behalf of CyberGRX revealed that while over 82 percent of surveyed IT and security professionals recognized that third-party threats exposed their organizations to risk, only half said that their organizations actually prioritize those risks.

Over the next five years, organizations estimated that their organizations would share about 41 percent of critical data with third-party entities.

Taking a holistic approach to cybersecurity and protecting data at every step of the supply chain can help organizations mitigate risks and avoid becoming a data breach victim.