The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Medicare Data Exposed in Data Breach at Boston Consulting Firm

Posted By on Apr 10, 2024

Greylock McKinnon Associates, Inc., (GMA) a Boston consulting firm that provides litigation support, has suffered a data breach affecting 341,650 individuals. According to the GMA breach notice, a security incident was detected on May 30, 2023, with the subsequent forensic investigation revealing it had fallen victim to a sophisticated cyberattack. The exposure of sensitive personal data was detected on February 7, 2024.

The breach included Medicare health insurance claim numbers (which contain Social Security numbers), health insurance information, and medical information along with names, addresses, and dates of birth. GMA said the personal data was obtained by the Department of Justice (DoJ) as part of a civil litigation matter, and that the data was provided to GMA by the DOJ in relation to the litigation support provided by the firm. GMA confirmed that the affected individuals were not the subject of the investigation or the associated litigation, and the DOJ has confirmed that the incident does not affect their current Medicare benefits or coverage. Notification letters were sent to the affected individuals on April 8, 2024, and they have been offered complimentary access to Single Bureau Credit Monitoring/Single Bureau Credit Report/Single Bureau Credit Score services.

Medicare data, medical information, and health insurance information are classed as protected health information under the Health Insurance Portability and Accountability Act (HIPAA), but only if that information is collected, processed, stored, or transmitted by a HIPAA-covered entity or a business associate of a HIPAA-covered entity. Neither GMA nor the DOJ are HIPAA-covered entities or business associates, so the breached information is not protected under HIPAA.

However, companies such as GMA are required to comply with the Federal Trade Commission (FTC) Act, and the FTC has taken several actions against companies over data breaches in recent months, including the failure to issue prompt notifications, as required by the FTC’s Health Breach Notification Rule. Like the HIPAA Breach Notification Rule, the FTC Health Breach Notification Rule requires individual notification letters to be issued without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach of security. GMA sent its notification letters 9 months after the security breach was detected, which could see the company investigated by the FTC. GMA is currently facing at least one class action lawsuit over the data breach, which alleges violations of the FTC Act and Health Breach Notification Rule.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist