274K Patients Impacted by Benefit Recovery Specialists Credential Hack

A hacker obtained the credentials of a Benefit Recovery Specialists’ employee to gain access to the insurer’s systems and deploy malware; a business associate breach and email hacks complete this week’s breach roundup.

More than 274,000 patients from several healthcare providers and payers that use Benefit Recovery Specialists (BRSI) for billing and collections services are being notified that their data was potentially breached after a hacker obtained employee credentials to deploy malware. 

The BRSI breach is now the sixth largest healthcare data breach of 2020 and includes personal data from both current and former members of certain providers or health plans contracted with BRSI.

According to the notification, officials said they discovered a malware incident on some of its servers on April 30. The systems were then taken offline to remove the malware, and allow BRSI to assess the security of its environment. 

An investigation was launched with assistance from third-party cybersecurity specialists, which concluded on May 29. Officials said they confirmed a hacker accessed the systems using stolen employee credentials, which allowed the threat actor to either access or acquire some customer files for 10 days between April 20 and April 30. 

The compromised data could include names, dates of birth, policy identification numbers, provider names, diagnosis codes, dates of service and or procedure codes. Social Security numbers may have been affected for a small subset of patients. 

Throughout the COVID-19 pandemic, hackers have continuously targeted credentials to gain access to enterprise networks, particularly those in healthcare, given the rise in remote care and telework. Password reuse is a major contributing factor in these attacks, as many employees will use the same password for both work and personal accounts. 

“The number one risk is phishing, which can obtain credentials,” Brian Foster, the senior vice president of MobileIron, told HealthITSecurity.com in an earlier interview. “And the number one way to prevent that is to implement two-factor or multi-factor authentication.” 

Business Associate Coding Error Impacts Providence Health Plan 

In April, business associate Zipari, notified Oregon-based Providence Health Plan that the data of 49,511 members was exposed due to a coding error, which allowed unauthorized users to access unencrypted enrollment documents. Zipari contracted with Providence Health to prepare enrollment documents for employer-sponsored plans. 

Discovered on April 9, Zipari launched an investigation that found Providence Health Plan documents were accessed by unauthorized IP addresses as early as May 2019, and again in September and November 2019. 

The exposed information included data from small employer group renewals, such as employer names, member names, and dates of birth. Social Security numbers, health information, and other medical data was not compromised during the incident. 

All impacted patients will receive a year of free identity theft protection services. Zipari has since fixed the coding error and installed improved access controls to prevent a recurrence. Providence Health will arrange a third-party audit of Zipari’s security practices. 

This is the second business associate breach for Providence Health in the last year. A massive 2019 hack on the Dominion National included the data from 122,000 Providence Health Plan members. 

Salinas Valley Memorial Reports Employee Email Hacks

California-based Salinas Valley Memorial Healthcare System (SVMHS) recently notified 786 patients after multiple employee email accounts were hacked in April. 

The first account compromise was discovered on April 30. An investigation that followed showed additional accounts of a contractor and three other employees were also hacked. Officials said the accounts were compromised through SVMHS’s browser-based email access solution, Outlook Web Access. 

An account review found patient data in just one of the accounts, while evidence suggests the attackers only had access for several hours before officials discovered the incident and disabled access.  

The potentially compromised data could include names, hospital account, numbers, medical record numbers, and attending physician information, among other personal data. The accounts did not contain any Social Security numbers, driver’s licenses, or bank account numbers. There’s no evidence the hacker viewed, retrieved, or copied the data.

Next Steps

Dig Deeper on Healthcare data breaches