Medicare Data Compromised in Boston Consulting Agency Data Breach
A data breach at Boston consulting agency, Greylock McKinnon Associates, Inc., (GMA) affected 341,650 persons. Based on the GMA breach notification, the agency discovered a security incident on May 30, 2023. It was a sophisticated cyberattack as per the forensic investigation findings. The compromise of sensitive personal information was confirmed on February 7, 2024.
The breached data involved medical insurance details, Medicare health insurance claim numbers, Social Security numbers, and health data together with names, birthdates, and addresses. GMA stated the personal information was acquired by the Department of Justice (DoJ) during a civil litigation issue, and was given to GMA by the DOJ to support the litigation. GMA affirmed that the impacted persons were not in the area of interest of the investigation or the related lawsuit, and the DOJ stated that the incident does not affect their present Medicare benefits or insurance coverage. GMA sent notification letters to the impacted persons on April 8, 2024, and offered them free access to Single Bureau Credit Score services/Single Bureau Credit Monitoring/Single Bureau Credit Report.
Medicare information, medical data, and medical insurance details are considered as protected health information by the Health Insurance Portability and Accountability Act (HIPAA), provided that the data is collected, processed, saved, or sent by a HIPAA-regulated entity or a business associate of a HIPAA-covered entity. GMA and the DOJ are not HIPAA-covered entities or business associates, hence the breached data is not considered PHI under HIPAA.
Nevertheless, organizations like GMA must adhere to the Federal Trade Commission (FTC) Act. The FTC has a campaign against organizations regarding data breaches recently, such as the inability to send immediate notifications, as expected by the FTC’s Health Breach Notification Rule. Just like the HIPAA Breach Notification Rule, the FTC Health Breach Notification Rule calls for sending individual notification letters with no unreasonable delay and within 60 calendar days of discovering a security breach. GMA sent its notification letters after 9 months of finding out about the security breach, which could see the company looked into by the FTC. GMA is presently dealing with a minimum of one class action lawsuit about the data breach, which claims violations of the FTC Act and Health Breach Notification Rule.
Ransomware Attack on Group Health Cooperative of South Central Wisconsin Impacts 533K Individuals
Group Health Cooperative of South Central Wisconsin (GHC-SCW) sent notifications to 533,809 patients concerning a cyberattack in January. On January 25, 2024, an unauthorized third party accessed its system and tried to deploy ransomware for file encryption. GHC-SCW stated that the attempt did not succeed; but while responding to the attack and protecting its network, parts of its systems became temporarily unavailable. Third-party cybersecurity professionals investigated what happened. On February 9, 2024, it found evidence that the attacker was able to copy some files from the system before the attempt to encrypt files. The attacker likewise contacted GHC-SCW and professed to be responsible for the ransomware attack, which confirmed the exfiltration of data from its system. The attacker, which is a foreign ransomware group, demanded a ransom payment to delete the data it had stolen. There is no mention by GHJC-SCW of whether it paid the ransom.
The analysis of the breached files revealed that they included these types of patient data: name of member/patient, address, e-mail address, phone number, date of birth and/or death, member number, Medicaid and/or Medicare number, and Social Security number. The types of information affected differed from person to person. As of the time when the notification letters were sent, no proof was found that suggests the misuse or further disclosure of the stolen data.
GHC-SCW stated it sent a notification to the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) regarding the ransomware attack and is getting the support of those organizations to mitigate any problems that may arise from the attack. GHC-SCW mentioned implementing cybersecurity measures throughout all systems and networks to minimize the chance of the same incidents later on. Measures included strengthening privacy and security settings, data backup procedures, user HIPAA training and education, and other security procedures. Impacted patients received offers of membership to a credit monitoring service for one year at no cost.
