Medicare Data Exposed in Data Breach at Boston Consulting Firm
Greylock McKinnon Associates, Inc., (GMA) a Boston consulting firm that provides litigation support, has suffered a data breach affecting 341,650 individuals. According to the GMA breach notice, a security incident was detected on May 30, 2023, with the subsequent forensic investigation revealing it had fallen victim to a sophisticated cyberattack. The exposure of sensitive personal data was detected on February 7, 2024.
The breach included Medicare health insurance claim numbers (which contain Social Security numbers), health insurance information, and medical information along with names, addresses, and dates of birth. GMA said the personal data was obtained by the Department of Justice (DoJ) as part of a civil litigation matter, and that the data was provided to GMA by the DOJ in relation to the litigation support provided by the firm. GMA confirmed that the affected individuals were not the subject of the investigation or the associated litigation, and the DOJ has confirmed that the incident does not affect their current Medicare benefits or coverage. Notification letters were sent to the affected individuals on April 8, 2024, and they have been offered complimentary access to Single Bureau Credit Monitoring/Single Bureau Credit Report/Single Bureau Credit Score services.
Medicare data, medical information, and health insurance information are classed as protected health information under the Health Insurance Portability and Accountability Act (HIPAA), but only if that information is collected, processed, stored, or transmitted by a HIPAA-covered entity or a business associate of a HIPAA-covered entity. Neither GMA nor the DOJ are HIPAA-covered entities or business associates, so the breached information is not protected under HIPAA.
However, companies such as GMA are required to comply with the Federal Trade Commission (FTC) Act, and the FTC has taken several actions against companies over data breaches in recent months, including the failure to issue prompt notifications, as required by the FTC’s Health Breach Notification Rule. Like the HIPAA Breach Notification Rule, the FTC Health Breach Notification Rule requires individual notification letters to be issued without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach of security. GMA sent its notification letters 9 months after the security breach was detected, which could see the company investigated by the FTC. GMA is currently facing at least one class action lawsuit over the data breach, which alleges violations of the FTC Act and Health Breach Notification Rule.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy