3rd Party Risk Management , Governance & Risk Management , Healthcare
Big Clinic Breach Tied to Vendor's 2021 Ransomware AttackFlorida Urgent Care Center Says Incident Involved Billing Vendor PracticeMax
An operator of Florida urgent care clinics is only now reporting to federal regulators a health data breach affecting hundreds of thousands of individuals tied to a May 2021 ransomware attack on a billing and practice management vendor.
See Also: Partnership Insecurity: Practice the Art of Diligence
Tampa, Florida-based Synergic Healthcare Solutions LLC, which does business as Fast Track Urgent Care Center, reported on July 12 to the U.S. Department of Health and Human Services an incident involving a network server affecting 258,411 individuals.
In a statement posted on its website, Fast Track says it was informed more than 15 months ago - on May 10, 2021 - that one of its vendors, PracticeMax Inc., discovered on May 1, 2021, that an unauthorized individual had gained accessed to its systems.
At that time, PracticeMax could not confirm whether personal information of any of the clinic patients had been affected, Fast Track's notice says.
In February 2022, PracticeMax informed the clinic "for the first time" that Fast Track’s customer and patient data may have been affected as a result of the incident, Fast Track says.
"PracticeMax's investigation was still ongoing at that time to determine whether Fast Track customer and patient data had been subject to unauthorized access as a result of the incident. Finally, on June 6, PracticeMax confirmed that an unauthorized individual was able to access Fast Track's customer and patient data," Fast Track says.
Regulatory attorney Rachel Rose, who has worked with forensic firms post-breach, says it can sometimes take several months to determine the extent of a PHI breach, "but over a year raises flags."
Kate Borten, president of privacy and security consulting firm The Marblehead Group offers a similar assessment.
"It can be difficult to analyze the extent and details of a breach, but the delay in this case seems extreme," she says. "Vendors should take PHI potential breaches as seriously as the covered entities having direct relationships with affected patients."
Affected information included individuals' name, date of birth, Social Security number, passport number, driver's license or state identification number, treatment and/or diagnosis information, health insurance information, financial information, and/or health information, Fast Track says.
PracticeMax is offering credit and identity monitoring services to those affected, Fast Track says.
Arizona-based PracticeMax first publicly disclosed its cyber incident last October (see: PHI May Have Been Removed in Vendor's Ransomware Attack).
At that time, PracticeMax sent out breach notification letters to certain members of coordination of care health plan clients Humana, Anthem and DaVita Inc., telling individuals that their PHI may have been affected by a ransomware attack that began on April 12 and ended on May 5, 2021.
PracticeMax said last October that it had contacted the FBI about the incident and notified state and federal regulators.
The HHS Office for Civil Rights' HIPAA Breach Reporting Tool website - which lists health data breaches affecting 500 or more individuals - shows that PracticeMax reported the hacking incident on June 30, 2021, as affecting 500 individuals.
In a notice posted on PracticeMax's website about the incident, the company says its investigation included a review of an affected server and certain compromised email accounts. Some of the data on PracticeMax's server was encrypted as a result of the ransomware, the statement says.
While the company's investigation did not identify evidence confirming that sensitive data had been accessed, acquired or disclosed without authorization, it could not rule out that possibility, the statement says.
Since the incident, PracticeMax has reviewed its existing policies and procedures and implemented additional security safeguards, the company's statement says.
Neither Fast Track nor PracticeMax immediately responded to Information Security Media Group's request for additional details about the breach.
Breach Time Lags
Under HIPAA, HHS and affected individuals must be notified about PHI breaches affecting 500 or more individuals within 60 days of discovering a breach. Some states have even shorter breach notification timelines.
Factors sometimes playing into breach determination and notification also include the facts and circumstances of an incident, such as the advice potentially given by law enforcement and outside counsel, Rose says.
"By default, the covered entity must notify HHS and the patients; however, it is possible for the business associate to do so, so long as a provision is in the business associate agreement," she says.
"The best course of action is for both the covered entity and the business associate to file a breach report, especially in incidents involving more than 500 individuals," Rose says.