Patient Data Stolen in Cyberattack on the Medical Review Institute of America

The Medical Review Institute of America (MRoiA) suffered a suspected ransomware attack in November 2021 in which sensitive patient data were stolen.

MRoiA is provided with patient data by HIPAA-covered entities as part of the clinical peer review process of healthcare services. In a data breach notice provided to the Vermont attorney general, MRoiA said it was the victim of a sophisticated cyberattack that was detected on November 9, 2021. Third-party cybersecurity experts were immediately engaged to conduct a forensic investigation to determine the nature and scope of the attack and to assist with its remediation efforts, including restoring its systems and operations.

On November 12, 2021, MRoiA discovered the attackers had exfiltrated sensitive data, including patients’ electronic protected health information (ePHI). MRoiA did not state in the breach notification letter whether ransomware was involved, although the attack has the hallmarks of a double-extortion ransomware attack.

MRoiA said on November 16, 2021, it received assurances that the stolen data were retrieved and copies of the data have been deleted, which suggests the ransom demand was paid, although that has not been confirmed.

MRoiA said the investigation into the attack is ongoing and a review of the compromised files has been completed. Individuals affected by the attack have had their full names compromised in addition to one or more of the following data elements: Gender, home address, phone number, email address, date of birth, Social Security number, medical history, diagnosis, treatment information, dates of service, lab test results, prescription information, provider name, medical account number (and other data stored in medical files/records), health insurance information, and claims information.

MRoiA said that prior to the breach it had adopted the HITRUST Common Security Framework (CSF), was compliant with the requirements of HIPAA and the HITECH Act, and had secured its systems to prevent unauthorized access. In response to the breach, additional cybersecurity safeguards are being implemented. These include constant monitoring of systems using advanced threat hunting and detection software, implementing additional authentication procedures, hardening its backup environment, and enhancing employee cybersecurity training.

New servers were built from the ground up to ensure no further unauthorized access was possible and MRoiA is working with third-party cybersecurity experts to further improve its security posture. Affected individuals have been offered complimentary identity monitoring services.

The HHS’ Office for Civil Rights breach portal shows 134,571 individuals have been affected.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.