Getty Images

120K Priority Health Members Impacted By Third-Party Data Breach

Michigan-based health plan Priority Health notified approximately 120,000 individuals of a third-party data breach that originated at the law firm Warner Norcross & Judd.

Priority Health issued a notice about a third-party data breach that originated at the law firm Warner Norcross & Judd (WNJ) in October 2021. Priority Health is Michigan’s second-largest health plan and serves more than one million members per year.

According to Priority Health’s notice, WNJ discovered unauthorized activity on some of its systems on October 22, 2021. WNJ took steps to secure its network and notified Priority Health of the incident on June 6, 2022. The incident impacted approximately 120,000 Priority Health members.

Although there has been no evidence of misuse, the unauthorized party potentially accessed first and last names, pharmacy and claim information, drug names, and prescription dates from certain prescriptions filled in 2012.

“WNJ has sent notification of the incident to potentially impacted individuals and has provided resources to assist them,” the notice stated.

Behavioral Health Group Breach Impacts 197K

Texas-based Behavioral Health Group (BHG), also known as BHG Holdings, suffered a data security incident that impacted 197,507 individuals. According to a notice on its website, BHG discovered that an unauthorized party had potentially removed certain files and folders from portions of its network on December 5, 2021. BHG said it immediately took steps to secure its network.

By June 2022, BHG determined that the files and folders contained the information of individuals who had received services from BHG, including names, Social Security numbers, driver’s license numbers, financial account information, biometrics, medication information, medical record numbers, dates of service, passports, payment card information, and health insurance information. Not all information was impacted for all individuals.

BHG said it had no evidence that any information had been misused. The healthcare group notified impacted individuals of the breach on July 27. It is important to note that HIPAA requires organizations to notify impacted individuals of a breach that affected more than 500 people within 60 days of discovery.

“In response to this incident, BHG has strengthened it network and implemented additional security improvements recommended by third-party cyber security experts,” the notice stated.

“These include resetting account passwords and strengthening its password security policies, implementing multi-factor authentication for network access, upgrading its endpoint detection software, integration of a 24/7 third-party security monitoring service and coordinating additional employee training related to network security and threat detection.”

First Choice Community Healthcare Breach Impacts 101K

First Choice Community Healthcare in Albuquerque, New Mexico, began notifying 101,541 individuals of a data security incident that involved the information of patients who sought treatment at First Choice.

First Choice first discovered suspicious activity on March 27, 2022. Further investigation revealed that an unauthorized party had potentially accessed or acquired certain personal information. The information involved included names, Social Security numbers, patient ID numbers, medications, dates of service, diagnosis and treatment information, birth dates, health insurance information, medical record numbers, patient account numbers, and provider information.

First Choice said it had no evidence that any information was misused. The organization began notifying impacted individuals of the incident on August 1.

“The privacy and protection of personal and protected health information is a top priority for First Choice, which deeply regrets any inconvenience or concern this incident may cause,” the notice stated.

Next Steps

Dig Deeper on Healthcare data breaches