One of the largest health data breaches disclosed to federal regulators so far this year is a supply chain ransomware attack that affected over 1.2 million people. Practicefirst, a medical management services company situated in Amherst, New York, disclosed a data breach to federal officials on July 1. According to the company's breach notification statement, the company paid a ransom in exchange for the attackers promising to destroy and not further expose files seized in the incident.
The HIPAA Breach Reporting Tool, a website run by the Department of Health and Human Services that lists health data breaches impacting 500 or more people, says that Practicefirst reported the event affecting more than 1.2 million people. The Practicefirst hack was the sixth-largest health data breach reported on the HHS website so far in 2021 as of Tuesday.
According to Practicefirst's breach notification statement, on December 30, 2020, "an unauthorized actor who attempted to deploy ransomware to encrypt our systems copied several files from our system, including files that include limited patient and employee personal information." When the corporation learned of the situation, it says it shut down its systems, changed passwords, notified law enforcement, and hired privacy and security specialists to help.
"The information copied from our system by the unauthorized actor before it was permanently deleted, included name, address, email address, date of birth, driver’s license number, Social Security number, diagnosis, laboratory and treatment information, patient identification number, medication information, health insurance identification and claims information, tax identification number, employee username with password, employee username with security questions and answers, and bank account and/or credit card/debit card information," Practicefirst says.
"We are not aware of any fraud or misuse of any of the information as a result of this incident," the company says. "The actor who took the copy has advised that the information is destroyed and was not shared." Many security experts believe that such promises made by hackers are untrustworthy. "Cybercriminals who infiltrate information systems are not reputable or reliable. By their nature, they will lie, cheat and steal," says privacy attorney David Holtzman of consulting firm HITprivacy LLC.
"Vendors to healthcare organizations should be transparent to the public and to the organizations contracted with those providers to make clear statements as to what happened, what data may have been compromised and what steps they are taking to notify the organizations they serve of the data that was put at risk."