R1 RCM Medical Collection Agency Suffers Ransomware Attack

Share this article on:

One of the largest medical debt collection agencies in the United States has suffered a ransomware attack. Chicago-based R1 RCM, formerly Accretive Health Inc., generated $1.18 billion in revenue in 2019 and works with more than 750 healthcare clients. It is currently unclear how many of its clients have been affected by the attack.

The breach was recently reported by Brian Krebs of Krebs on Security. R1 RCM confirmed that it was attacked with ransomware and its systems were taken down in response to the attack. Recovery efforts are ongoing.

No information has been released on the type of ransomware used in the attack and it is unclear if patient data was stolen prior to files being encrypted. Krebs spoke to a source close to the investigation who suggested the ransomware used in the attack was Defray. Defray ransomware is usually spread via malicious Word documents sent via email in small, targeted campaigns. The threat actors behind the ransomware have previously targeted education and healthcare verticals.

In 2019, the medical debt collection agency, American Medical Collection Agency (AMCA), was attacked with ransomware. Prior to data encryption, approximately 27 million records were stolen, making it the largest data breach of the year. The cost of the attack proved too much, and AMCA was forced into bankruptcy. With many more clients than AMCA, this ransomware attack has the potential to be far larger, although the operators of Defray ransomware are not known to steal data prior to file encryption.

Beaumont Health Phishing Attack Impacts 6,000 Patients

Beaumont Health, Michigan’s largest healthcare system, has started notifying 6,000 patients that some of their protected health information may have been accessed by unauthorized individuals as a result of a phishing attack.

Unauthorized individuals gained access to multiple employee email accounts between January 3, 2020 and January 29, 2020. Beaumont Health learned on June 5, 2020 that one or more of the breached email accounts contained patient data, including names, dates of birth, diagnoses, diagnosis codes, procedures performed, treatment location, treatment type, prescription information, Beaumont patient account numbers, and Beaumont medical record numbers. Affected patients were notified about the breach on July 28, 2020.

This is the second phishing-related breach to be reported by Beaumont Health in 2020. In April, 112,000 individuals were notified about a separate phishing attack that occurred in 2019. Following the attacks, Beaumont Health took significant steps to improve email security, including improving its multi-factor authentication software, conducting a risk analysis, and providing additional training and education to Beaumont employees on the identification and handling of malicious emails. Changes have also been made to internal policies and procedures to identify and remediate future threats to minimize the risk of a similar incident occurring in the future.

PHI of 3,736 Patients Potentially Compromised in Phishing Attack on The Connection, Inc.

The Connection, Inc., a Middletown CT-based provider of community-based behavioral health and substance use services, has discovered the email accounts of two of its employees have been accessed by unauthorized individuals. The security breach was discovered on February 13, 2020 when one of the employees started experiencing problems with their email account. The subsequent investigation confirmed that two email accounts had been breached between January 4, 2020 and February 13, 2020.

The individual(s) behind the attack attempted to change employees’ direct deposit information through payroll. While that appears to be the sole purpose of the attack, The Connection, Inc. could not rule out the possibility that information in the email accounts was stolen.

The email accounts contained information on current and former clients including names, dates of birth, mailing addresses, Social Security numbers, driver’s license numbers, financial account information medical record or patient account numbers, treatment and clinical information, prescription information, diagnoses, provider names, dates of treatment, and/or affiliation with The Connection. The Connection is unaware of any attempted misuse of client information.

Notification letters started to be sent to affected individuals on July 24, 2020. Individuals whose Social Security number was compromised have been offered complimentary credit monitoring and identity protection services.

The Connection has provided further training to the workforce on cybersecurity and multi-factor authentication has been implemented on email accounts.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On