HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Data Breaches Reported by PracticeMax and UMass Memorial Health

Members of Anthem Inc, Humana, and DaVita health plan members with End-Stage Kidney Disease who are enrolled in the VillageHealth program have been notified that some of their protected health information has potentially been compromised in a ransomware attack at business associate PracticeMax.

The VillageHealth program helps health plan members with care coordination between the dialysis center, nephrologists, and providers and shares the results with their health plan provider through PracticeMax.

PracticeMax, a provider of business management and information technology solutions to healthcare organizations, identified the attack on May 1, 2021. The investigation revealed the attackers gained access to its systems on April 12, 2021, with access possible until May 5, 2021. PracticeMax said it regained access to its IT systems the following day.

A forensic investigation of the attack confirmed one server was affected that contained protected health information (PHI) which may have been accessed and acquired by the attackers.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The investigation into the attack concluded on August 19, 2021, and confirmed the following types of data had been exposed: First and last name, date of birth, address, phone number, Anthem member ID number, and clinical data relating to kidney care services received. Financial information and Social Security numbers were not compromised.

PracticeMax says it has conducted a review of its policies and procedures and has implemented additional safeguards to block future attacks, including rebuilding systems, using additional endpoint security solutions, and enhancing its firewalls. Affected individuals have been offered complimentary credit monitoring services for 24 months.

Humana says 4,424 of its members were affected. It is currently unclear how many Anthem and DaVita plan members have been affected.

UMass Memorial Health Alerts Patients About Phishing Attack

UMass Memorial Health has discovered unauthorized individuals gained access to the email accounts of some of its employees as a result of responses to phishing emails. The phishing attack was discovered on August 25, 2021, when suspicious activity was identified in its email environment.

Authorized access to the accounts was immediately blocked and a forensic investigation was launched, with assistance provided by a third-party computer forensics firm. The investigation confirmed the email accounts were breached between June 24, 2020, and January 7, 2021, and during that time, the attackers had access to protected health information stored in the accounts.

While no evidence was found that indicated emails were viewed or obtained by the attackers, the possibility could not be ruled out. A review of the PHI in the accounts was completed on August 25, 2021. Patients affected by the breach may have had the following information exposed: names, dates of birth, medical record numbers, health insurance information, clinical/treatment information, provider names, diagnoses, procedure information, prescription information.

Health plan participants affected by the incident had the following data exposed: names, subscriber ID numbers, and benefits election information. A subset of individuals also had their Social Security number and/or driver’s license number exposed.

UMass Memorial Health said complimentary credit monitoring and identity theft protection services have been offered to individuals whose Social Security number or driver’s license number was potentially compromised. UMass Memorial said it is enhancing email security including enabling multifactor authentication and will be re-educating the workforce on email best practices.

The breach has been reported to the Department of Health and Human Services’ Office for Civil Rights as affecting 209,048 individuals.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.