Health Data Analytics Firm Reports 1.1-Million Record Data Breach
A Portland, ME-based accounting and consulting firm has recently reported a data breach to the Maine Attorney General that involved the personal information of 1,107,354 individuals. Berry, Dunn, McNeil & Parker, LLC (BerryDunn) provides health data analytics services to healthcare providers, health insurers, and government regulatory and healthcare policy agencies and its clients provide BerryDunn with personal and health data to allow the firm to perform its contracted services.
BerryDunn’s Health Analytics Practice Group (HAPG) contracted with a managed service provider (MSP) called Reliable Networks of Maine, LLC, which manages systems on behalf of HAPG. According to BerryDunn’s breach notice, Reliable Networks notified HAPG on September 14, 2023, that it had identified suspicious activity on its network, including in the systems it manages for HAPG. BerryDunn immediately initiated its incident response protocols and brought in third-party cybersecurity experts to investigate to determine the extent to which client data was involved.
BerryDunn immediately initiated its incident response protocols and brought in third-party cybersecurity experts to investigate to determine the extent to which client data was involved. According to BerryDunn’s notification to the Maine Attorney General, “The investigation found that an unauthorized actor gained access to Reliable’s network and took some data stored on the
HAPG systems.”
BerryDunn’s investigation confirmed that a threat actor gained access to the network and stole data from the HAPG systems the MSP managed. A vendor was engaged to conduct a review of the affected files, and that process was completed on April 2, 2024. The information exposed or stolen in the incident included names, addresses, dates of birth, Social Security numbers, health insurance policy numbers, Medicare or Medicaid numbers, state or governmental ID numbers, passport numbers, and medical information. Notification letters were mailed to the affected individuals on April 25, 2024, and complimentary credit monitoring and identity theft protection services have been offered to the affected individuals. Those services include a $1 million identity theft reimbursement policy.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
It is unclear how many of BerryDunn clients have been affected. BerryDunn has confirmed that it has decommissioned all systems under the control of Reliable Networks, migrated all HAPG data to secure internal BerryDunn servers, and said those servers are continuously monitored for unauthorized access under its cybersecurity program.
Reliable Networks has provided a statement about the unauthorized access and data breach and confirmed that BerryDunn’s systems were accessed by an unauthorized third party, not Reliable Networks’ own network. “Reliable Networks is disappointed in Berry Dunn’s decision to place blame on Reliable Networks for the events that transpired. Reliable Networks has worked with Berry Dunn for years, providing technology consultation services, on-demand IT support and training, and maintenance and monitoring services for Berry Dunn’s own networks. Berry Dunn, however, did not retain Reliable Networks to serve as its cybersecurity protection/prevention vendor,” explained a spokesperson for Reliable Networks. “As Berry Dunn states in its recent Notice, while performing its network monitoring services, Reliable Networks discovered suspicious activity affecting Berry Dunn’s network, and promptly notified Berry Dunn of this activity. Notably, however, the data breach did not occur on Reliable Networks’ own network, nor its internal systems. Furthermore, none of Reliable Networks’ other clients’ networks or systems were impacted by this data breach.”
