3rd Party Risk Management , Breach Notification , Governance & Risk Management

Revenue Cycle Vendor Notifying 400,000 Patients of Hack

Texas-Based Gryphon Healthcare Says an Unnamed Third Party Was at Center of Breach
Revenue Cycle Vendor Notifying 400,000 Patients of Hack
Image: Gryphon Healthcare

A Texas-based healthcare revenue cycle management firm is notifying nearly 400,000 individuals of a hacking incident that it says originated with another third party. The incident is among a growing list of major health data breaches implicating vendors and affecting tens of millions of patients so far this year.

See Also: Live Webinar | CISO Leadership Blueprint to Managing Budgets, Third-Party Risks & Breaches

Gryphon Healthcare on Thursday told Maine's attorney general that the "external system" hacking breach affected 393,358 individuals.

Gryphon Healthcare on its website says it provides revenue cycle management, coding and compliance, and consulting services to hospitals, emergency departments, physician groups, ambulatory surgery centers, imaging centers, independent labs, healthcare facilities and emergency medical services providers.

On Aug. 13, Gryphon Healthcare became aware of a data security incident "involving a partner that Gryphon provides medical billing services for, which resulted in unauthorized access to certain personal and/or protected health information maintained by Gryphon," the company said in its breach notice.

"As a result of this third-party security incident, an unauthorized actor may have accessed certain files and data containing information relative to patients for whom Gryphon provides medical billing services."

Gryphon said it completed "a comprehensive review" of all potentially affected files and data on Sept. 3, and then worked to gather contact information for breach notification letters.

Information of current and former patients that was potentially compromised in the incident includes names, dates of birth, addresses, Social Security numbers, dates of service, diagnosis, health insurance information, medical treatment, prescriptions, provider information and medical record number.

"Gryphon has no evidence to suggest that any potentially impacted information has been misused because of this incident," the company said.

Gryphon's notice does not identify or describe the type of third party involved in the incident, and an attorney representing the company did not immediately respond to Information Security Media Group's request for clarification and additional details about the breach.

Some experts said the unnamed third party at the center of the Gryphon's breach could be potentially a number of different types of entities.

"Given the nature of Gryphon's business, the term 'partner' likely refers to one of its clients, which would fall into the category of a HIPAA-covered entity," said regulatory attorney Rachel Rose, who is not involved in the Gryphon incident.

"Alternatively, it could be a business associate with whom it 'partners' but it would be speculative to guess. It is an unusual choice of word, as most persons disclosing refer to either a covered entity or a business associate."

Kate Borten, president of privacy and security consulting firm The Marblehead Group, said she found Gryphon's breach notice "puzzling."

"I assume the 'third party' is a healthcare provider, such as hospital, clinic or lab. It's interesting that Gryphon, presumably a business associate is providing notice instead of the entity where the breach occurred, and is unnamed," she said.

Federal regulators are "likely to explore the unnamed party's role in this breach, including its security and privacy programs," Borten said.

Gryphon in its breach notice said it has "implemented measures to enhance security and minimize the risk of a similar incident occurring in the future."

Vendor Risk

As of Monday the Gryphon Healthcare incident was not yet posted on the U.S. Department of Health and Human Services' HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals.

Nonetheless, as of Monday, about one-third - or 174 - of the 534 major health data breaches posted on the HHS' Office for Civil Rights website so far in 2024 were reported as involving a business associate.

Those business associate breaches affected about 27.2 million individuals, or about 42% - of the 63.75 million people affected by major health data breaches posted on the website so far this year.

Those totals also do not yet reflect the full impact of the ransomware attack in February on UnitedHealth Group's IT services unit, Change Healthcare. UHG has said the incident likely compromised information for about one-third of Americans. But the Change Healthcare breach is still listed on the HHS OCR website with placeholder estimate of 500 affected individuals, which the company reported in July.

Absent an updated breach report by Change Healthcare, as of Monday, the largest data breach appearing on the HHS OCR website so far this year was a hacking incident affecting 4.3 million individuals reported in August by HealthEquity, a Utah-based health benefits administrator (see: Health Benefits Administrator Hack Affects 4.3 Million).

"The message has been clear since the 2013 HIPAA Omnibus Rule - business associates and subcontractors have the same liability as covered entities," Rose said. The key takeaways from the rash of vendor breaches is that all HIPAA-regulated organizations that handle protected health information must take crucial actions to safeguard the privacy and security of that data, she said.

That includes providing staff with adequate training, maintaining strong policies and procedures, implementing encryption at rest and in transit, monitoring software for attacks, executing business associate agreements and conducting annual HIPAA risk analysis, she said.

"Ensuring that these measures are met is critical."


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.