WellCare Health Reports Security Breach Affecting 24,800 Patients

In August 2016, Summit Reinsurance Services experienced a data breach affecting a number of its healthcare clients. Highmark Blue Cross Blue Shield of Delaware was informed in early January that 19,000 of its members were impacted by the breach. Now, WellCare Health Plans has announced that 24,809 of its members have also been impacted by that security incident.

Summit Reinsurance Services had previously been contracted by WellCare to provide reinsurance services. WellCare no longer uses SummitRe as its reinsurance service provider, although the breach dates back to before WellCare’s association with the company was terminated.

WellCare was informed on December 27, 2016 that a ransomware infection had occurred at SummitRe on August 8, 2016 and that its members’ electronic protected health information had potentially been accessed by the attacker.

The ransomware encrypted a range of sensitive data including names, member IDs, home addresses, dates of birth, Social Security numbers, medical diagnoses and provider names and locations.

While many ransomware infections occur randomly as a result of employees opening malicious email attachments or from visiting malware-infected websites, in this case the investigation into the breach revealed that access to SummitRe’s system was first gained on March 12, 2016, approximately 5 months prior to ransomware being installed. That suggests the attacker had time to view sensitive information stored on its system and installed ransomware when there was no further need for system access.

While data were potentially accessed and viewed, neither Summit Reinsurance Services nor WellCare has uncovered any evidence to suggest that PHI was stolen by the attackers, nor that any ePHI has been misused.

75,000-Record Breach Discovered at Texas Medical Clinic

The breach would take the title of the worst healthcare data breach of 2017 to date, having resulted in the exposure of more than twice the number of records as the Verity Health System breach; however, yesterday, a new report appeared on the Department of Health and Human Services’ Office for Civil Rights breach portal.

Stephenville Medical & Surgical Clinic in Stephenville, Texas, reported a security breach has impacted 75,000 individuals. The incident involved the unauthorized accessing of a desktop computer, although at present few details of the incident have been released. An incident report will be posted on this site when further information becomes available.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.