Unauthorised Individual Accesses Sharecare Health Data Services’ Systems

Sharecare Health Data Services has reported that an unauthorised individual gained access to sensitive information stored in their systems.

Sharecare Health Data Services (SHDS), based in San Diego, provides secure electronic exchange and medical records management services for healthcare groups. SHDS discovered the attack when abnormal activity was discovered on their network on June 26, 2018. SHDS immediately launched an investigation into the suspicious activity.

The investigation revealed that cybercriminals accessed the system from May 21 to June 26, 2018. Investigators discovered that the hackers accessed and downloaded some protected health information (PHI) of their client’s. The hackers were located outside of the US.

SHDS contracted Mandiant, a forensic cybersecurity firm, to assist with the breach investigation. SHDS reported the breach to the FBI, and have been assisting with their investigation.

SHDS have implemented new protocols to mitigate the risks of another breach of this nature reoccurring. They have revised their data retention policies have been revised and enhanced their maintenance communications and protocols to ensure continuity across its network. SHDS has contracted a third-party firm to provide 24/7 monitoring of its data systems.

SHDS notified two healthcare groups that hackers may have accessed their data during the attack on December 31, 2018. SHDS gave this notification more than five months after they discovered the breach—in violation of HIPAA’s Breach Notification Rule, which states that breaches must be reported within a short time frame of discovery. SHDS have not offered any reason for the delay.

AltaMed Health Services Corporation, a Los Angeles-based healthcare supplier, has announced that the breach impacted almost 6,000 patients. In its breach notice to the California Attorney General, AltaMed said the information obtained by the hackers was restricted to names, addresses, birth dates, unique patient ID numbers, addresses where healthcare services were given, and for some patients, internal SHDS processing notes and medical record numbers. The hackers did not obtain other sensitive information such as Social Security numbers, financial data, and detailed clinical information. Patients impacted by the breach were alerted on February 15, 2019, and have been offered 12 months of credit monitoring and identity theft protection services for free.

The California Physicians’ Service, operating as Blue Shield of California, has also alerted the California Attorney General about the breach.  Blue Shield of California members had names, addresses, birth dates, BlueShield ID numbers, addresses where healthcare services were given, and for some patients, internal SHDS processing memos, medical record numbers, and provider identities stolen in the breach. Blue Shield has offered 12 months of credit monitoring and identity theft protection services for free. Those services can be renewed annually for individuals that remain BlueShield clients. Blue Shield’s breach summary on the OCR website indicates that the breach affected 18,416 of their patients.

It is currently not confirmed how many other healthcare clients have been affected by the SHDS breach.

About Christine Garcia 1299 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA