Several Orgs Impacted by Email Security Breach at RCM Vendor

An email security breach at RCM vendor Conifer Revenue Cycle Solutions potentially exposed PHI at several healthcare organizations.

Multiple healthcare organizations were impacted by an email security breach at Conifer Revenue Cycle Solutions, a revenue cycle management (RCM) and administrative services vendor. The impacted organizations included Baptist Medical Center, Resolute Health Hospital, The Hospitals of Providence Memorial Campus, and the Brownsville and Harlingen locations of Valley Baptist Medical Center.

On April 14, Conifer said it discovered that an unauthorized party had gained access to a business email account. Further investigation revealed that the unauthorized party was able to access the account on January 20.

“Based on a detailed review conducted between June 13, 2022 and August 3, 2022, it was determined that your personal information associated with a healthcare provider was in the impacted business email account,” Conifer told impacted individuals.

“Even though Conifer conducted a thorough investigation, it was not possible to conclusively determine whether personal information was actually accessed by the unauthorized party. To date, we are not aware of any misuse of your data.”

The information involved in the incident potentially included names, birth dates, addresses, financial account information, Social Security numbers, driver’s license numbers, medical record numbers, provider and facility information, diagnoses, prescription information, dates of service, health insurance information, and billing and claims information.

“Conifer takes privacy and security very seriously. In response to this incident, Conifer immediately took action to block malicious IP addresses and URLs. In addition, the password for the impacted account was reset shortly after the unauthorized access,” the notice explained.

“Conifer has enhanced and continues to enhance its security controls and monitoring practices as appropriate to minimize the risk of any similar incident in the future, and Conifer accelerated its implementation of multi-factor authentication for business email accounts within the environment.”

Florida Springs Surgery Center Suffers Phishing Attack

Florida Springs Surgery Center (FSSC) suffered a phishing attack in June that impacted 2,203 individuals. In its notice to impacted individuals, FSSC explained that an unauthorized third party gained access to a Microsoft Office 365-hosted business email account between May 25 and June 2.

“This email account is separate from FSSC’s internal network and systems, which were not affected by this incident,” FSSC explained.

The data involved in the incident potentially included names, addresses, birth dates, Social Security numbers, financial account information, driver’s license numbers, medical record numbers, provider names, diagnoses, prescription information, dates of service, health insurance information, and billing and claims information.

“FSSC takes privacy and security very seriously. As soon as FSSC discovered the incident, it immediately took action to prevent any further unauthorized activity, including removing phishing emails from all user mailboxes, resetting the user password for the business email account where unauthorized activity was detected, and blocking malicious IP addresses and URLs,” the notice stated.

“FSSC has enhanced and continues to enhance its security controls and monitoring practices as appropriate to minimize the risk of any similar incident in the future and implemented multi-factor authentication for business email accounts within the environment.”

Arkansas-based Independent Case Management Faces Ransomware Attack

Independent Case Management (ICM), an Arkansas-based nonprofit organization that provides in-home and community-based support to people intellectual and developmental disabilities, began notifying 3,307 individuals of a ransomware attack.

The ransom note was dated December 24, 2021, but ICM did not discover the note until June 15, 2022. The unauthorized party managed to access and encrypt data on three servers containing historical employee and customer data.

The infected servers contained names, addresses, Social Security numbers, birth dates, health records, insurance plan information, payment information, Medicaid numbers, and employment files. ICM recommended that impacted individuals monitor health insurance claims and financial account information.

ICM also said that it has since performed security scans of its systems and implemented additional security measures that will allow for faster threat detection. Additionally, ICM said it would provide additional security training to all employees and perform periodic risk assessments.

Next Steps

Dig Deeper on Healthcare data breaches