On Friday, the Medical Review Institute of America (MRIoA) began alerting certain people that their personal information had been compromised in a hack. According to MRIoA, the incident was detected on November 9, 2021. A few days later, the organization found that personal data had been compromised in the hack, and it had recovered it by November 16.
The theft of protected health information, including names, genders, birth dates, phone numbers, physical and email addresses, Social Security numbers, complete clinical data (including diagnosis, medical history, treatment, and lab test results), and financial information, was discovered during the investigation (such as health insurance policy and group plan number).
The MRIoA claims to have made efforts to improve its security. It has increased multifactor authentication safeguards, replaced servers with new ones, established a protected backup environment, amended cybersecurity rules, and improved staff training. According to a data breach notification filed by the Maine Attorney General’s Office, the incident affected approximately 134,000 people.
The organization has not revealed the type of hack. However, it did declare that it “took efforts to safeguard and safely restore its systems and operations” shortly after the event, implying that ransomware was involved. Furthermore, the organization stated that it “retrieved and later confirmed the destruction of” the stolen material, indicating that MRIoA contacted and bargained with the perpetrators. MRIoA has yet to respond to an email request for confirmation about ransomware that was used in the event and whether or not a ransom was paid.