Anthem health plan members with End Stage Kidney Disease who are enrolled in the VillageHealth program have been notified that some of their protected health information has potentially been compromised in a ransomware attack.
VillageHealth helps Anthem plan members through care coordination between the dialysis center, nephrologists, and providers and shares the results with Anthem via its vendor, PracticeMax.
PracticeMax, a provider of business management and information technology solutions to healthcare organizations, identified the attack on May 1, 2021. The investigation revealed the attackers gained access to its systems on April 17, 2021, with access possible until May 5, 2021. PracticeMax said it regained access to its IT systems the following day.
A forensic investigation of the attack confirmed one server was affected that contained protected health information (PHI) which may have been accessed and acquired by the attackers.
The investigation into the attack concluded on August 19, 2021, and confirmed the following types of data had been exposed: First and last name, date of birth, address, phone number, Anthem member ID number, and clinical data relating to kidney care services received. Financial information and Social Security numbers were not compromised.
PracticeMax says it has conducted a review of its policies and procedures and has implemented additional safeguards to block future attacks, including rebuilding systems, using additional endpoint security solutions, and enhancing its firewalls. Affected individuals have been offered complimentary credit monitoring services for 24 months.
UMass Memorial Health Alerts Patients About Phishing Attack
UMass Memorial Health has discovered unauthorized individuals gained access to the email accounts of some of its employees as a result of responses to phishing emails. The phishing attack was discovered on August 25, 2021 when suspicious activity was identified in its email environment.
Authorized access to the accounts was immediately blocked and a forensic investigation was launched, with assistance provided by a third-party computer forensics firm. The investigation confirmed the email accounts were breached between June 24, 2020 and January 7, 2021, and during that time, the attackers had access to protected health information stored in the accounts.
While no evidence was found that indicated emails were viewed or obtained by the attackers, the possibility could not be ruled out. A review of the PHI in the accounts was completed on August 25, 2021. The exposed information includes names, Social Security numbers, driver’s license numbers, and financial account information. UMass Memorial Health said complimentary credit monitoring and identity theft protection services have been offered to affected individuals. UMass Memorial said it is enhancing email security and will be re-educating the workforce on email best practices.
The breach has been reported to the Maine Attorney General as affecting a total of 3,099 individuals across the United States.
The post Data Breaches Reported by PracticeMax and UMass Memorial Health appeared first on HIPAA Journal.