US healthcare org admits up to 400,000 people's personal info was snatched

It waited till just before Columbus Day weekend to make mandated filing, but don't worry, we saw it

by · The Register

A Houston-based services provider to healthcare organizations says a crook may have grabbed up to 400,000 people's information after the miscreant accessed the systems of one of its customers.

Gryphon Healthcare, which provides revenue cycle and management services, said patients' names, dates of birth, addresses, and Social Security numbers were all potentially accessed by a malicious attacker.

It said the miscreant may have got hold of patient medical data including diagnoses, details of medical treatments and providers, prescriptions, health insurance information, and medical record numbers.

Regardless, the company said: "Gryphon takes the privacy and security of all information within its possession very seriously."

It also offered the usual disclosure line that there's no reason to believe the data has been misused yet (which often means a company has hired someone to monitor the dark web for samples up for sale). All victims have been offered the standard 12 months of credit monitoring and identity protection services.

The details of these 393,358 individuals were being stored by an organization for which Gryphon provided medical billing services, the company said.

According to the company's website, such organizations could include hospitals, emergency departments and EMS providers, imaging centers, independent labs, the incredibly broad catch-all "healthcare facilities," ambulatory surgery centers, and private practices.

Gryphon detected the incident on August 13, finished its review of the impacted data on September 3, and began notifying those affected on Friday. According to its filing with Maine's Attorney General, the first time the data was accessed by an unauthorized person was on July 6.

"As soon as Gryphon discovered this incident, Gryphon took the steps described above and implemented measures to enhance security and minimize the risk of a similar incident occurring in the future," it said.

"The privacy and protection of personal and protected health information is a top priority for Gryphon. We deeply regret any inconvenience or concern this incident may cause."

Gryphon didn't specify the nature of the events that led to the exposure of the data, describing it only as a "recent data security incident."

However, it may have to reveal a little more in the coming months as lawyers wasted no time in working up a proposed class-action lawsuit.

Tulsa, OK-based Abington Cole and Ellery started appealing for victims of the data protection mess to come forward on Saturday, a day after letters to victims were mailed out.

Within a month of its ransomware disaster earlier this year, UnitedHealth – the parent company of Change Healthcare – was hit with at least six class-action lawsuits.

The total number of lawsuits it's currently handling is unknown but multiple law firms filed similar class-actions as recently as June. Per reports at the time, a total of 49 other lawsuits, separate from the class actions, were also centralized by a judicial panel and are due to be brought to UnitedHealth in Minnesota, where it is headquartered.

Class representatives in these cases range from the individual victims of the breach to healthcare partners and investors.

Of course, where there's blame, there's a claim. Class actions following medical data thefts – often the most sensitive of all the attacks we report here – are fairly common and can be relatively lucrative for claimants.

Med-Data, another revenue cycle management company that's also based in Texas, agreed in April this year a $7 million settlement with victims whose data was stolen in 2022. Each were able to claim up to $5,000 for their ordeal.

Even more recently, a $65 million settlement was agreed by Pennsylvania-based Lehigh Valley Health Network for its 2023 ALPHV/BlackCat breach. The lawyers who won the case, from the firm Saltz Mongeluzzi Bendesky, claimed the settlement was "the largest of its kind, on a per-patient basis, in a healthcare data breach ransomware case."

In an appalling indignity, the attacker even posted nude photos of cancer patients online. Those whose naked images were published were eligible for the highest tier of damages: a sum between $70,000 and $80,000. ®

RAC duo busted for stealing and selling crash victims' dataRoadside assistance biz praised for deploying security monitoring software and reporting workers to copsPaul Kunert, 11 Oct 2024US lawmakers seek answers on alleged Salt Typhoon breach of telecom giantsCyberspies abusing a backdoor? GroundbreakingJessica Lyons, 11 Oct 2024Marriott settles for a piddly $52M after series of breaches affecting millionsIntruders stayed for free on the network between 2014 and 2020Jessica Lyons, 09 Oct 2024Happy birthday, Putin – you've been pwnedPro-Ukraine hackers claim credit for Russian state broadcasting shutdownJessica Lyons, 08 Oct 2024