Malware Attack on Benefit Recovery Specialists Exposed the PHI of 274,837 People

Benefit Recovery Specialists, Inc. based in Houston, TX, billing and collection company, announced the discovery of malware on its systems and the potential access of unauthorized persons to protected health information (PHI).

BRSI is a business associate with health plan and healthcare providers, which provided the personal information and PHI of their present and past members and patients stored on the BRSI systems.

BRSI discovered the malware on April 30, 2020 and launched an internal investigation without delay. Third-party computer forensics experts investigated the breach to establish the magnitude and scope of the malware attack. According to the investigation result, an unauthorized person accessed the BRSI systems by using compromised employee account information. After establishing a foothold in the system, the attacker was able to download the malware.

The forensic specialists came to the conclusion that the attacker’s initial access to the BRSI systems was on April 20, 202o, which continued up to April 30, 2020. Throughout that time, the attacker had access to PHI, which could have been copied. BRSI posted a substitute breach notice on its website but there was no mention of the kind of malware used.

The compromised types of sensitive information stored on its systems included names, birth dates, dates of service, names of providers, policy ID numbers, diagnosis codes, and/or procedure codes. The Social Security numbers of certain people were likewise most likely breached.

The conducted investigation of the breach finished on May 29, 2020. BRSI began sending notification letters to patients on June 2, 2020. There is no evidence found regarding the misuse of any PHI, nevertheless, BRSI advised the affected persons to stay alert to the possibility of identity theft and scams and to keep checking their account transactions and explanation of benefits statements for any indication of misuse of their data. According to the substitute breach notice, it seems that BRSI did not offer the breach victims any credit monitoring services.

BRSI already reported the incident to the Department of Health and Human Services’ Office for Civil Rights. It was indicated in the breach summary that there were 274,837 people, affected. Thus, this breach incident is one of the biggest healthcare data breaches that is documented in 2020.