Benefit Recovery Specialists, Inc., a billing and collection firm located in Houston, TX, reported finding malware on its networks, and unauthorized persons may have accessed some protected health information (PHI).
BRSI as a business associate to healthcare companies and health plans got access to the personal information and PHI of the said entities’ present and past patients and members, which are kept on the BRSI systems.
BRSI found the malware on April 30, 2020 and started an internal investigation straight away. Third-party computer forensics professionals looked into the breach to determine the malware attack’s extent. Based on the investigation findings, an unauthorized individual got access to the BRSI systems by utilizing stolen employee account credentials. After getting into the system, the attacker installed the malware.
The forensic investigators stated the attacker accessed the BRSI systems on April 20, 2020 until April 30, 2020. While the attacker viewed the PHI, it was possible to copy the same. BRSI published a substitute breach notice on its web page although it did not mention what kind of malware was employed.
The sensitive information located on its systems that had been compromised included names, birth dates, names of providers, dates of service, policy ID numbers, diagnosis codes, and/or process codes. Some people also had their Social Security numbers compromised.
The breach investigation concluded on May 29, 2020, and BRSI started mailing notification letters to the affected patients on June 2, 2020. The investigators did not find any evidence that PHI was misused, nonetheless, BRSI instructed those affected to remain alert with regards to the prospective of identity theft and fraud. They should keep reviewing their account activities and explanation of benefits statements to watch out for data misuse. Based on the substitute breach notice, it appears that BRSI did not provide credit monitoring services to the breach victims.
BRSI already submitted a breach report to the Department of Health and Human Services’ Office for Civil Rights. According to the breach summary, 274,837 people were impacted by the breach. To date, this healthcare data breach is one of the biggest that is reported in 2020.