Over 850,000 Individuals Affected by Partnership HealthPlan of California Cyberattack

In March 2022, Partnership HealthPlan of California (PHC) announced that third-party forensic specialists had been engaged to help restore the functionality of its IT systems following a cyberattack. PHC has now confirmed in a breach notification to the Maine Attorney General that the protected health information of 854,913 current and former health plan members has potentially been stolen, making this one of the largest healthcare data breaches to be reported so far this year.

According to the notification, the cyberattack was detected on or around March 19, 2022. Steps were immediately taken to contain the breach and an investigation was launched to determine the nature and scope of the attack. PHC said the forensic investigation uncovered evidence that the unauthorized party behind the cyberattack had removed files from the PHC network on or around March 19.

The review of the affected files is ongoing, and while it has yet to be confirmed which specific types of protected health information were included in the affected files, notification letters are starting to be sent to affected individuals. PHC said the types of information potentially stolen may include names, birth dates, addresses, email addresses, Social Security numbers, driver’s license numbers, Tribal ID numbers, medical record numbers, health insurance information, diagnoses, treatment and prescription information other medical information, and member portal usernames and passwords.

While PHC did not state the nature of the cyberattack in its breach notification, the Hive ransomware gang has claimed responsibility for the attack and alleges around 400 GB of files were stolen, a sample of which was temporarily uploaded to the group’s data leak site. PHC said it is reviewing and enhancing its policies and procedures relating to data protection and security, and additional security measures and safeguards will be implemented to protect against this type of event in the future. PHC is covering the cost of access to credit monitoring services for affected individuals for two years. A class action lawsuit has already been filed on behalf of individuals affected by the breach.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.