AllyAlign Health Ransomware Attack Impacts Tens of Thousands of People

AllyAlign Health based in Glen Allen, VA, offering Medicare Advantage health plan management, has begun informing members and companies regarding a ransomware attack attempt that happened on November 13, 2020.

Based on the breach notification letters received by impacted persons, AllyAlign Health knew about the attack first on November 14, 2020. The investigator of the incident learned that the attackers accessed systems containing members’ information such as first and last names, birth dates, addresses, Social Security numbers, Medicare beneficiary identifiers, Medicare health insurance claim numbers, medical claims backgrounds, medical insurance policy numbers, and other medical data.

Healthcare providers impacted by the breach received notification that names, addresses, birth dates, Council for Affordable Quality Healthcare (CAQH) credentialing data, and Social Security numbers might have been breached.

It is uncertain precisely how many people were impacted by the attack. Based on the breach notification provided to the Maine Attorney General, the protected health information (PHI) of 76,348 persons was possibly affected by the breach. AllyAlign Health submitted a breach report to the Department of Health and Human Services’ Office for Civil Rights indicating that 33,932 people were impacted. The 33,932 people are probably members and the others are healthcare providers.

The Attorney General notification reveals the breach was identified on February 2, 2021. This may be the particular date when they completed the breach investigation and knew about the number of people affected.

AllyAlign Health stated it worked immediately to take care of the breach and called in IT experts to secure its network environment. After the breach happened, guidelines and procedures were modified to address the security of its systems, servers and data life cycle control. The provider sent notification letters to affected persons on February 26, 2021 and offered them credit monitoring and identity theft protection services. During the issuance of notifications, there was no report received that indicates the misuse of the data of members or providers.