Data Breaches Suffered by PracticeMax and UMass Memorial Health

Anthem health plan members who have End-Stage Kidney Disease and are signed up in the VillageHealth program were notified about the potential compromise of some of their protected health information (PHI) during a ransomware attack.

VillageHealth assists Anthem plan members through coordinating care between the dialysis center, nephrologists, and healthcare providers and shares the results with Anthem through its vendor, PracticeMax.

PracticeMax provides business management and information technology solutions to healthcare companies. It identified the attack on May 1, 2021. According to the investigation, the attackers obtained access to its systems on April 17, 2021, and had continuing access possibly until May 5, 2021. PracticeMax mentioned it obtain back the access to its IT systems on the following day.

A forensic analysis of the attack affirmed that it affected one server that held protected health information (PHI) and the attackers may have accessed and acquired them.

The investigation into the incident finished on August 19, 2021, and established the exposure of the following types of data: First and last name, address, date of birth, phone number, Anthem member ID number, and clinical information associated with kidney care services obtained. There were no compromised financial details or Social Security numbers.

PracticeMax states it has performed an evaluation of its policies and protocols and has applied extra safeguards to prevent future attacks, which include rebuilding systems, utilizing more endpoint security solutions, and improving its firewalls. Affected individuals were provided complimentary credit monitoring services for 24 months.

UMass Memorial Health Notifies Patients With Regards to Phishing Attack

UMass Memorial Health has found out that unauthorized persons obtained access to some employees’ email accounts due to responding to phishing emails. The phishing attack was identified on August 25, 2021 upon noticing suspicious activity in its email environment.

UMass blocked authorized access to the email accounts right away and launched a forensic investigation, with support given by a third-party computer forensics company. The investigation affirmed the breach of the email accounts from June 24, 2020 until January 7, 2021, and in the course of that time, the unauthorized individuals got access to PHI stored in the email accounts.

Although no proof was found that pointed out the attackers had viewed or acquired the emails, the chances could not be ruled out. An evaluation of the PHI within the accounts was done on August 25, 2021. The compromised information includes names, financial account information, driver’s license numbers, and Social Security numbers. UMass Memorial Health stated free credit monitoring and identity theft protection services were given to impacted people. UMass Memorial stated it is improving email security and will be re-educating the employees on email guidelines.

The breach has been reported to the Maine Attorney General as affecting a total of 3,099 individuals across the United States.