Fraud Management & Cybercrime , HIPAA/HITECH , Ransomware
2 Health Plans Report Major Breaches Following AttacksIncidents Allegedly Involved Conti, Hive Ransomware Gangs
Two recent apparent ransomware attacks on health plans - one allegedly involving Conti, and the other Hive, have potentially affected hundreds of thousands of individuals. One of the health plans is already facing legal fallout.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
The separate incidents involve the employee group health plan of Cleveland, Ohio-based motion and control technology manufacturer Parker-Hannifin Corp. and Fairfield, California-based managed care provider Partnership HealthPlan of California. PHC was slapped with a proposed class action lawsuit last week involving its incident.
Parker-Hannifin on May 13 reported to the U.S. Department of Health and Human Services a hacking/IT incident involving a network server and affecting nearly 120,000 individuals.
As of Thursday, the Parker incident is the largest HIPAA breach reported by a health plan that has been posted on the HHS OCR website so far in 2022.
In a statement issued May 13, Parker Hannifin says an investigation into a data security incident determined that an unauthorized third party gained access to and may have acquired "certain files" on Parker's IT systems between March 11, 2022, and March 14.
On March 31, Conti ransomware actors claimed they had been behind the attack and leaked data stolen in the Parker-Hannifin incident (see: Conti Claims It Has 'Insiders' in Costa Rican Government).
Parker in its statement says its review determined that affected files may have included information related to current and former employees, their dependents and members of Parker's Group Health Plans, including health plans sponsored by an entity acquired by Parker.
Potentially affected information includes names, Social Security numbers, dates of birth, addresses, driver's license numbers, U.S. passport numbers, financial and banking account information, online account usernames/passwords, health insurance plan member ID numbers, and dates of coverage.
For some individuals, the information also included dates of coverage, dates of service, provider names, claims information, and medical and clinical treatment information, the company says.
In a March 14 filing with the U.S. Securities and Exchange Commission, Parker says that upon detecting the unauthorized access, the company immediately activated its incident response protocols, which included shutting down certain systems and commencing an investigation of the incident.
"The Company believes some data was accessed and taken and may include personal information of Company team members," the filing says.
Based on Parker's preliminary assessment of the situation, the company said the incident had not had a significant financial or operational impact and that it did not believe the incident would have a material impact on its business, operations or financial results. "The Company’s business systems are fully operational, and the Company maintains insurance, subject to certain deductibles and policy limitations typical for its size and industry," Parker said in the filing.
Parker declined Information Security Media Group's request for additional details about the incident, including comment on the claims by Conti of its involvement in the attack.
Partnership HealthPlan of California Breach
Meanwhile, PHC recently disclosed it has suffered a data breach resulting from an apparent ransomware attack in March, allegedly by the Hive cybercriminal group (see: Partnership Health Plan California's Systems Still Down).
The incident also left the California nonprofit managed care health plan provider struggling to recover its IT services for several weeks.
In a notification statement posted on its website, PHC says that on March 19, it identified unusual activity on its network and that is has "evidence" that an unauthorized party accessed or took certain information from PHC's network on or about March 19.
PHC in its notification statement does not specifically identify the incident as a ransomware attack.
In a posting in March on its dark web data leak site, the ransomware group Hive claimed responsibility for the incident, saying that data stolen from PHC includes 400GB of files from a file server and 850,000 "unique records" of personally identifiable information, including names, addresses, dates of birth and Social Security numbers.
As of Thursday, the HHS OCR HIPAA Breach Reporting Tool website listing protected health information breaches affecting 500 or more individuals did not yet show a HIPAA breach report filed by PHC.
A lawsuit filed against PHC on May 5 in a California superior court in the wake of the incident alleges that the organization "failed to take steps necessary to prevent such an attack and has refused to date to notify victims of this ransomware attack that their personal information was improperly accessed and stolen." The complaint was filed by a "John Doe" plaintiff affected by the incident on behalf of himself and others similarly situated.
In its notification statement about the incident, PHC says its investigation has determined that the information affected may include certain individuals' names, Social Security numbers, dates of birth, driver's license numbers, tribal ID numbers, medical record numbers, treatments, diagnoses, prescriptions and other medical information, health insurance information, member portal usernames/passwords, and email and physical addresses.
PHC did not immediately respond to ISMG's request for comment.
Other Health Plan Incidents
To date, the largest health data breach ever reported by regulators was the 2014 cyberattack on health plan Anthem Inc., which affected nearly 79 million individuals.
The Anthem breach was also the subject of a $115 million settlement in 2018 of a consolidated class action lawsuit - and a $16 million enforcement action in 2018 by federal regulators.
Other health plans that suffered major health data breaches have also been slapped with enforcement actions by regulators.
For instance, the New York attorney general in January announced a settlement with Ohio-based benefits provider EyeMed Vision Care following a 2020 email hacking breach that affected 2.1 million individuals, including nearly 99,000 New Yorkers.