HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Patients Receive Notifications of PHI Theft 8 Months After Business Associate Data Breach was Detected

Sharecare Health Data Services (SHDS), a San Diego company that provides secure electronic exchange and medical records management services for healthcare organizations, has alerted some of its clients that hackers gained access to parts of its systems that contained sensitive patient information.

SHDS detected abnormal network activity on June 26, 2018, prompting an in-depth investigation. The investigation revealed hackers gained access to systems containing protected health information as early as May 21, 2018. Access remained possible until June 26, 2018, during which time PHI was accessed and exfiltrated by the hackers to locations outside the U.S.

SHDS engaged the services of cybersecurity firm Mandiant to assist with the forensic investigation of the breach. The breach was also reported to the FBI and SHDS has been assisting with its investigation.

SHDS has since taken steps to enhance security and prevent further breaches. Data retention policies have been revised, maintenance communications and protocols have been improved to ensure continuity across its network, and SHDS has retained a third-party firm to provide 24/7 monitoring of its data systems.

Please see the HIPAA Journal Privacy Policy

On December 31, 2018, Sharecare Health Data Services alerted at least two healthcare organizations that their data had potentially been accessed as a result of the attack – More than 5 months after the discovery of the breach. No reason for the delayed notification has been offered.

Los Angeles-based healthcare provider AltaMed Health Services Corporation has announced that 5,500 of its patients were affected by the breach. In its breach notice to the California Attorney General, AltaMed said the information obtained by the hackers was limited to names, addresses, birth dates, unique patient ID numbers, addresses where healthcare services were provided, and for some patients, internal SHDS processing notes and medical record numbers. Social Security numbers, financial information, and detailed clinical information were not stolen in the attack. Patients affected by the breach were notified on February 15, 2019 and have been offered 12 months of credit monitoring and identity theft protection services without charge.

The California Physicians’ Service, doing business as Blue Shield of California, has also notified the California Attorney General about the breach.  Blue Shield of California members affected by the breach have had the following information stolen: Names, addresses, birth dates, BlueShield ID numbers, addresses where healthcare services were provided, and for some patients, internal SHDS processing notes, medical record numbers, and provider names. 12 months of credit monitoring and identity theft protection services have also been offered without charge. Those services can be renewed annually for individuals that remain BlueShield members.

According to the breach summary on the OCR website, 18,416 Blue Shield of California members have had their PHI exposed as a result of the SHDS breach.

It is currently unclear how many other healthcare clients have been impacted by the SHDS breach.


Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.