More than 31,000 patient records leaked by Third-Party, admits Indiana-based healthcare firm

• Indiana-based firm Managed Health Services found out that the protected health information (PHI) of 31,876 members was compromised in two separate incidents in 2018.
• Managed Health Service maintains various healthcare programs including Hoosier Healthwise, and Hoosier Care Connect Medicaid program.

Managed Health Services (MHS), a managed care firm in the Indiana state, recently revealed that patient data of 31,876 members of its programs had been compromised in two different security incidents in 2018.

When did the breach occur?

On October 29, 2018, MHS launched an investigation after learning that protected health information of its members including names, insurance ID numbers, addresses, dates of birth, dates of service and descriptions of medical conditions, was possibly disclosed by a third-party.

It was found out that in July 2018, one of its vendors, LCP Transportation, became the victim of a phishing attack which gave away MHS’s protected health information (PHI). The email accounts of LCP employees had been compromised which provided the cybercriminals with important credentials that allowed them to access the confidential patient data. Upon learning about the incident, LCP disabled the affected email accounts on September 2018.

It is noteworthy that MHS faced another smaller data leak which occurred in October 2018 due to mailing errors at MHS while sending notification letters to its members. The mis-mailed letters resulted in PHI details of 576 members getting sent to addresses of other members in the list instead of their own address.

Impact

A news release from HIPAA Journal highlighted the incident stating, “While no evidence of PHI misuse has been detected, it is possible that emails in the accounts were accessed by the attacker. Some of the emails in the compromised accounts contained plan members’ PHI including names, addresses, dates of birth, dates of service, insurance ID numbers, and a description of medical conditions.”

Fred Kneip, CEO of CyberGRX, told Infosecurity Magazine, “Phishing attacks are a favorite for malicious adversaries as one of the most successful methods for stealing and exposing data. LCP Transportation, a third-party vendor of Managed Health Services, recently felt the impact of how a phishing attack targeted at their employees can trickle down the chain – ultimately breaching roughly 31,000 patient records held by their business associate.”

“To combat this, healthcare providers require a cyber solution that moves beyond previous, static approaches to third-party cyber-risk management that is unable to scale with their growing ecosystems,” Kneip added.

Mitigation

Post the investigation, MHS issued notifications to all the affected parties. It is also offering complimentary credit monitoring services for a year to all the affected members through CyberScan.

It is noteworthy that MHS faced another smaller data leak which occurred in October 2018 due to mailing errors at MHS while sending notification letters to its members. The mis-mailed letters resulted in PHI details of 576 members getting sent to addresses of other members in the list instead of their own address.

“Managed Health Services has taken steps to prevent mailing errors in the future including reinforcing mailing policies and procedures and reviewing practices in relation to the submission of mailing addresses to its national mailing center,” HIPAA Journal reported.