Gryphon Healthcare has reported a security incident wherein the files of approximately 400,000 people with protected health information (PHI) had been accessed by unauthorized individuals. Gryphon Healthcare based in Houston, TX is a revenue cycle, coding, HIPAA training compliance, consultancy, and management services provider to healthcare organizations including hospitals, emergency departments, independent laboratories, EMS providers, medical imaging facilities, physician practices, and ambulatory surgery centers.
The security incident happened at a partner organization that Gryphon Healthcare provides with medical billing services. Gryphon Healthcare became aware of the third-party security incident on August 13, 2024. After conducting a comprehensive analysis of the impacted files, Gryphon Healthcare confirmed the exposure and potential theft of the PHI of 393,358 patients of its healthcare clients. No data was given regarding the nature of the incident, such as the involvement of ransomware. The number of healthcare provider clients affected is likewise uncertain.
The analysis of records concluded on September 3, 2024, which confirmed the exposure of data including names, Social Security numbers, addresses, birth dates, dates of service, diagnoses, medical insurance data, medical treatment details, prescription data, provider data, and medical record numbers. According to Gryphon Healthcare, there is no evidence of data misuse found when issuing breach notifications. Nevertheless, as a safety precaution, the impacted individuals were provided free identity theft protection services. Services such as identity theft recovery services, credit and CyberScan monitoring, and an identity theft insurance policy worth $1 million are included.
Gryphon Healthcare already carried out measures to improve security and reduce the risk of the same incidents happening later. The affected individuals received notification letters on October 11, 2024. The delay in issuing breach notification letters was because of the time it took to confirm the contact details for the impacted persons.