kras99 - stock.adobe.com

Healthcare Orgs Continue to Report Impacts Of Recent Third-Party Data Breaches

Healthcare organizations continue to report the impacts of various third-party data breaches, including incidents at Eye Care Leaders, Netgain, and the Medical Review Institute of America.

Third-party data breaches are continuing to overwhelm the healthcare sector, based on the current state of the HHS Office for Civil Rights (OCR) data breach portal.

As organizations continue to report the impacts of the Eye Care Leaders (ECL) breach, other organizations are reporting the damages of previously reported breaches, such as the 2020 Netgain incident or the 2021 Medical Review Institute of America (MRIoA) breach.  

Healthcare Organizations Continue to Report Eye Care Leaders Breach

As reported extensively, Eye Care Leaders, which offers an ophthalmology-specific EMR solution, experienced unauthorized access to its myCare Integrity system in December 2021. Since ECL began notifying impacted organizations of the breach, organizations have been steadily contributing reports to HHS’ Office for Civil Rights (OCR) data breach portal.

The total breach tally has surpassed 2 million individuals. Sight Partners Physicians added 86,101 individuals to the breach tally. Although Sight Partners had already stopped doing business with ECL prior to the incident, data from before June 2021 was still stored in Sight Partners’ myCare Integrity EMR system, its notice to patients explained.

In addition, Arkansas Retina notified 57,394 individuals of the breach and noted that “there was no evidence that this incident involved unauthorized access to any of Arkansas Retina’s patient records.”

“However, a lack of available forensic evidence prevented Eye Care Leaders from ruling out the possibility that some protected health information and personally identifiable information may have been exposed to the bad actor,” the notice continued.

BCBS of Alabama Impacted by Medical Review Institute of America Breach

Blue Cross and Blue Shield (BCBS) of Alabama reported that 8,700 individuals connected to the organization were impacted by the November 2021 Medical Review Institute of America data breach.

“Blue Cross and Blue Shield of Alabama has been made aware that a small number of our members have been impacted by the data breach at the Medical Review Institute of America, an organization that conducts certain clinical reviews for three external Blue Cross vendors that help administer our members’ health plans,” BCBS of Alabama stated. “Notification by mail has been made to all impacted individuals.”

As previously reported, MRIoA, which provides clinical peer review services for some of the country’s largest health plans, self-insured employers, and government entities, discovered that it was the target of a sophisticated cyberattack in November.

MRIoA reported the incident to OCR and noted that it impacted 134,571 individuals. The exposed information may have included contact and demographic information, Social Security numbers, clinical information, and financial information.

“The security and privacy of the information contained within our systems is a top priority for us, and we were shocked and dismayed to learn that we were one of the thousands of victims of this type of cyberattack.” Ron Sullivan, CEO of MRIoA, explained in the notice.

“We are fully committed to protecting the information on our systems and sincerely regret the inconvenience and worry caused by this incident. We thank the community, our employees, and partners for their support during this event.”

Associated Eye Care Adds 40K to 2020 Netgain Breach Tally

Minnesota-based Associated Eye Care (AEC) provided notice to the Montana Department of Justice’s website about a third-party data breach that impacted 40,793 individuals associated with the organization.

The breach stemmed from Netgain Technology, a company that offers cloud IT solutions. As previously reported, Netgain discovered a breach in late 2020 that impacted numerous healthcare organizations, including LifeLong Medical Care, SAC Health Systems, Entira Family Clinics, San Diego Family Care, Woodcreek Provider Services, Elara Caring, and more.

At least in the case of Associated Eye Care, the unauthorized party responsible for the incident potentially had access to names, addresses, medical history, and Social Security numbers.

“In light of this incident, AEC replaced Netgain as its hosting vendor and migrated our environment and data to another service provider that has assured us the data will be hosted in such a way that it cannot be exposed in a similar attack,” the notice stated.

“Additionally, we are working to improve security and mitigate risk by reviewing and altering our policies and procedures relating to the security of our systems and servers, as well as our information life cycle management.”

St. Luke’s Health System Suffers Vendor Data Breach

St. Luke’s Health System in Idaho suffered a breach at its billing services center, Kaye-Smith, the Idaho Statesman reported. St. Luke’s learned of the breach on July 6, although it occurred in late May.

The breach potentially impacted 31,573 individuals, St. Luke’s spokesperson Christine Myron told the local publication. There is no evidence that any data was misused at this time.

The data included names, ID numbers, addresses, last five digits of Social Security numbers, service dates and locations, provider names, patient account numbers, payment due dates, outstanding balances, and payment account statuses.

Myron told the Idaho Statesman that Kaye-Smith and St. Luke’s were both “actively monitoring for any indication of misuse of St. Luke’s patient information.”

Patients will soon receive a letter in the mail regarding the incident, Myron said.

Next Steps

Dig Deeper on Healthcare data breaches