Getty Images/iStockphoto

Additional Orgs Report Aftermath of OneTouchPoint Data Breach

The OneTouchPoint data breach tally continues to grow as more healthcare organizations submit individual breach reports to OCR.

Common Ground Healthcare Cooperative and Medical Mutual of Ohio each submitted reports regarding the OneTouchPoint (OTP) data breach to the HHS Office for Civil Rights (OCR) recently.

OTP originally reported the breach to OCR in July, noting that it had impacted 1,073,316 individuals. However, the third-party mailing and printing vendor recently provided an updated breach notice to the Maine Attorney General’s Office stating that the breach actually impacted more than 2.6 million individuals.

“OTP is providing this notice on its own behalf as the individuals notified in this round of notice are current or former employees,” OTP stated in the updated notification.

In its original notice, OTP explained that it had discovered encrypted files on certain computer systems in late April. After launching an investigation, OTP determined that an unauthorized party had accessed certain servers.

The affected files contained member IDs, names, and information provided during health assessments. More than 35 organizations were impacted by the breach, including Anthem ACE, Kaiser Permanente, Geisinger, Humana, UPMC Health Plan, and several affiliates of Blue Cross Blue Shield.

Common Ground Healthcare Cooperative more recently reported that the breach impacted 133,714 of its members and linked to OTP’s breach notice on its website.

Medical Mutual of Ohio reported that 1,377 of its members had been impacted by the breach. Specifically, Medical Mutual said that OTP had provided printing and mailing services for its tobacco cessation program, which is administered by National Jewish Health.

“The OTP incident potentially affected names, addresses, dates of birth and ‘quit date’ goals of Quit Logix/QuitLine participants,” Medical Mutual explained.

“This information was used by National Jewish Health to send welcome letters and program information.”

Medical Mutual’s notice explained that it was still investigating the incident and reviewing business practices surrounding the privacy and security of its members’ personal information.

At the time of publication, OCR’s data breach portal did not reflect the revised breach tally. But the updated notification provided to the Maine Attorney General’s Office would make the incident the largest reported healthcare data breach of 2022 so far by number of individuals impacted.

OneTouchPoint is now facing at least one lawsuit over the breach. The lawsuit alleged that OTP failed to safeguard the information of its customers.

“As a result of the Data Breach, Plaintiff and over one million Class Members suffered ascertainable losses in the form of losing the benefit of their bargain, incurring out-of-pocket expenses, and the value of their time reasonably invested to remedy or mitigate the effects of the attack and the substantial and imminent risk of identity theft,” the filing alleged.

The wide reach of the OTP breach further emphasized the importance of third-party risk management in healthcare.

Next Steps

Dig Deeper on Healthcare data breaches