Tens of Thousands of Individuals Affected by AllyAlign Health Ransomware Attack

AllyAlign Health, a Glen Allen, VA-based Medicare Advantage health plan administrator, has started notifying members and providers about an attempted ransomware attack that occurred on November 13, 2020.

According to the breach notification letters sent to affected individuals, AllyAlign Health first became aware of the attack on November 14, 2020. An investigation of the incident found the systems accessed by the attackers contained members’ first and last names, addresses, dates of birth, Social Security numbers, Medicare health insurance claim numbers, Medicare beneficiary identifiers, medical claims histories, health insurance policy numbers, and other medical information.

Providers affected by the breach have been notified that names, addresses, dates of birth, Social Security numbers, and Council for Affordable Quality Healthcare (CAQH) credentialing information may have been compromised.

It is unclear exactly how many individuals have been affected by the incident. According to the breach notification sent to the Maine Attorney General, the protected health information of 76,348 individuals was potentially compromised in the breach. The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 33,932 individuals have been affected. The 33,932 individuals could be members and the rest providers.

The Attorney General notification indicates the breach was discovered on February 2, 2021. This could be the date when the breach investigation was completed, and the number of individuals affected became known.

AllyAlign Health said it acted quickly to respond to the breach and engaged IT specialists to ensure the security of its network environment. Since the breach occurred, policies and procedures have been updated relating to the security of its systems and servers and information life cycle management. Notification letters were sent to affected individuals on February 26, 2021 and credit monitoring and identity theft protection services have been offered. At the time of issuing notifications, no reports had been received related to the misuse of member or provider data.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.