On July 1, Practicefirst suffered a supply-chain ransomware attack that affected almost 1.2 million individuals and is one of the largest health data breaches in the US this year.
Medical management services firm Practicesfirst reported a breach to federal regulators in July. A security incident at HealthVault resulted in the unauthorized access of some of its clients’ sensitive information. According to the company’s breach notification, it paid a ransom in exchange for the attackers not releasing any of the data they stole.
According to the US Department of Health & Human Services‘ HIPAA Breach Reporting Tool, the breach affected more than 1.2 million individuals. As of Tuesday, Practicefirst breach was the sixth-largest on the HHS website in 2021.
It was back in December 2020 that the healthcare company learned that an unauthorized actor had copied some files from its system, “including files that contain limited patient and employee personal information” and encrypted their IT systems. Due to the critical nature of the situation, the company shut down its systems and hired experts to help secure them.
“The information copied from our system by the unauthorized actor before it was permanently deleted, included … name, address, email address, date of birth, driver’s license number, Social Security number, diagnosis, laboratory and treatment information, patient identification number, medication information, health insurance identification and claims information, tax identification number, employee username with password, employee username with security questions and answers, and bank account and/or credit card/debit card information,” Practicefirst said.
Practicesfirst is not aware of any fraud or misuse of the information after this incident, the company said.
Vendors of healthcare services should be transparent about the incidents that occurred and the steps they are taking to ensure that their data was not compromised.
Practicesfirst says it implemented various security protocols “to further improve the security of [the] systems and practices.”
The company did not provide any further details about the incident, such as the reason for the delay in reporting.