PHI 'May Have Been Removed' in Vendor's Ransomware AttackIncident Is Among Latest Involving Healthcare Supply Chain Vendors
This article has been updated with PracticeMax CEO's statement that no data was "stolen."
A ransomware attack on a medical practice management services firm that included the possible "removal" of files containing patient information is among the latest security incidents involving similar third-party vendors.
Arizona-based PracticeMax, in sample breach notification letters being sent this month to certain members of coordination of care health plan clients Humana, Anthem and DaVita Inc., says their protected health information may have been affected by a ransomware attack that began on April 12 and ended on May 5.
PracticeMax says it regained access to its systems on May 6, and determined that one server containing protected health information may have been accessed and "certain files" may have been removed.
The affected individuals are all members of VillageHealth, a care coordination program for patients with chronic conditions that is run by DaVita Inc. and offered through health plans including Anthem and Humana.
A breach report filed on Sept. 28 by Humana to the Maine attorney general's office about the PracticeMax incident indicates the breach affected more than 4,400 of its members, including three Maine residents.
A breach report about the PracticeMax incident filed by Anthem to the California's attorney general's office on Oct. 15 does not indicate how many of Anthem's VillageHealth members were affected.
The Department of Health and Human Services' HIPAA Breach Reporting Tool website shows that PracticeMax reported the hacking incident on June 30 as affecting 500 individuals.
The HHS' Office for Civil Rights website lists breaches affecting 500 or more individuals.
Sometimes an organization files an initial breach report to HHS indicating that 500 individuals were affected in an incident before the entity can determine a more precise figure.
In a statement provided to Information Security Media Group, PracticeMax CEO Michael Johnson said, "To clarify, we state there is no evidence that PHI was stolen. There is no evidence that any data was taken, removed, stolen, exfiltrated, or in any way moved from our servers to another location. All reporting has been out of an abundance of caution, despite there being no evidence that the data was taken."
The company did not comment on a request for additional details about the incident, including the total number of its clients and individuals affected.
PracticeMax on its site says the company serves over 5,200 providers in all 50 states and processes over 2.4 million patient/provider encounters and billings annually.
In breach notification letters being sent on behalf of DaVita, Humana and Anthem, PracticeMax says the incident affected PHI including members' first and last name, date of birth, address, phone number, Social Security Number, member ID number and clinical data pertaining to services received through the VillageHealth program.
"Upon learning of the incident, PracticeMax moved quickly to confirm the security of their systems," the vendor says in the letters. In the wake of the incident, PracticeMax says, it has reviewed its existing policies and procedures and implemented additional safeguards to further secure the information in its systems.
The company also notified regulatory and law enforcement authorities and is offering affected individuals 24 months of credit and identity monitoring, it says.
PracticeMax adds that it has "no reason to believe" individuals' personal information will be used inappropriately because of the incident.
PracticeMax is not the only practice management vendor to recently report a ransomware attack or other hacking incident affecting clients and their patients. For instance,
Practicefirst, an Amherst, New York-based medical management services provider, on July 1 reported to HHS OCR a breach that occurred late last year affecting more than 1.2 million individuals.
The company's breach notification statement indicated that the firm had paid a ransom in exchange for promises that the attackers would destroy the stolen files and not further disclose them.
As of Thursday, the PracticeFirst incident was the ninth largest health data breach posted on the HHS OCR website so far in 2021.
Other recent incidents involving similar types of healthcare sector supply chain vendors include a hacking incident at San Antonio-based CaptureRx, which provides technology and administrative services to hundreds of U.S. hospitals and other healthcare entities, and a cyber incident at Dallas-based MedNetworx, which provides hosted medical software, including the Aprima electronic health record system from CompuGroup eMDs (see: More Healthcare Disruptions Tied to Vendor Incidents).
Raising the Bar
Some experts say the healthcare sector overall needs to raise the bar on how vendor security risk management is handled.
"This is a problem we are going to continue to have until we set a higher standard for security, applicable to all entities handling sensitive information, and recognize that business associates or third parties are an integral part of the healthcare digital ecosystem and hold them to that standard," says Mac McMillan, CEO of privacy and security consultancy CynergisTek. "And that standard has to be something other than HIPAA," he adds.
Secondly, organizations must prioritize third parties based on what they do and what McMillan calls "a resilience rating" for the health system, he says. That means: "If they go down, they affect patient care adversely, which includes privacy, or impacts system operations," he says.
Lastly, the healthcare sector needs more proactive protocols for managing the risk associated with critical vendors and more prescriptive regulatory guidance on expectations for security, he adds.
It is not just U.S.-based healthcare sector supply chain vendors that have been the recent victims of hacking incidents.
Singapore-based healthcare firm Fullerton Health last week confirmed that a security breach incident at Agape Connecting People - a vendor that helps the company manage patient appointments and bookings - resulted in the data leak of its customers' personal information (see: Vendor Partner Responsible for Fullerton Health Data Breach).