Health plans

2 health plans report major violations following attacks

Fraud and cybercrime management, HIPAA/HITECH, Ransomware

Alleged Incidents Involved Conti, Hive Ransomware Gangs

Marianne Kolbasuk McGee (HealthInfoSec) •
May 19, 2022

The manufacturer Parker-Hannifin Corp. says its recent cyber incident affected nearly 120,000 group health plan members.

Two recent apparent Ransomware attacks on health plans – one allegedly involving Conti, and the other Hive, potentially affected hundreds of thousands of individuals. One of the health plans is already facing legal fallout.

See also: Live Webinar | Remote Employees and the Big Resignation: How Do You Handle Insider Threats?

The separate incidents involve the group health plan for employees of Cleveland, Ohio-based motion and control technology maker Parker-Hannifin Corp. and Fairfield, Calif.-based managed care provider Partnership HealthPlan of California. PHC was slapped with a proposed class action lawsuit last week regarding its incident.

Parker–Hannifin incident

Parker-Hannifin May 13 reported to the US Department of Health and Human Services a hacking/computer incident involving a network server and affecting nearly 120,000 people.

Thursday, the Parker incident is the most important HIPAA violation reported by a health plan that has been posted on the HHS OCR website so far in 2022.

In a statement released May 13, Parker Hannifin said a data security incident investigation determined that an unauthorized third party had accessed and may have acquired “certain files” on Parker’s computer systems between the March 11, 2022 and March 14.

On March 31, Conti ransomware actors claimed they had been behind the attack and leaked data stolen during the Parker-Hannifin incident (see: Conti claims to have ‘insiders’ in Costa Rican government).

Parker, in its statement, says its review determined that the affected files may contain information relating to current and former employees, their dependents, and members of Parker’s group health plans, including sponsored health plans. by an entity acquired by Parker.

Information potentially affected includes names, social security numbers, dates of birth, addresses, driver’s license numbers, US passport numbers, financial and banking information, usernames/passwords online accounts, health plan member identification numbers and coverage dates.

For some people, the information also included coverage dates, service dates, provider names, claims information, and medical and clinical treatment information, the company says.

Filing with the SEC

In a March 14 deposit with the U.S. Securities and Exchange Commission, Parker said that upon detecting the unauthorized access, the company immediately activated its incident response protocols, which included shutting down certain systems and opening of an investigation into the incident.

“The Company believes that certain data has been accessed and taken and may include personal information about members of the Company’s team,” the filing said.

Based on Parker’s preliminary assessment of the situation, the company said the incident had no significant financial or operational impact and that it does not believe the incident would have a significant impact on its activities, operations or financial results. “The company’s business systems are fully operational and the company maintains insurance, subject to certain policy deductibles and limitations typical of its size and industry,” Parker said in the filing.

Parker declined Information Security Media Group’s request for additional details about the incident, including comment on Conti’s allegations about his involvement in the attack.

HealthPlan of California Breach Partnership

Meanwhile, PHC recently revealed that it suffered a data breach resulting from an apparent ransomware attack in March, allegedly by cybercriminal group Hive (see: Partnership Health Plan California’s systems are still down).

The incident also left the California provider of nonprofit managed health care plans struggling to recover its IT services for several weeks.

In a notice statement posted on its website, PHC says that on March 19, it identified unusual activity on its network and that it has “evidence” that an unauthorized party accessed or took certain information from PHC’s network on or around March 19.

PHC in its notification statement does not specifically identify the incident as a ransomware attack.

In a March posting on its dark web data leak site, ransomware group Hive claimed responsibility for the incident, saying the data stolen from PHC includes 400 GB of files from a file server and 850,000 “unique records” of personally identifiable information, including names. , addresses, dates of birth and social security numbers.

Since Thursday, the HHS OCR HIPAA Violation Reporting Tool website listing protected health information shortcomings affecting 500 or more people have not yet shown a HIPAA violation report filed by PHC.

A court case filed against PHC on May 5 in a California superior court following the incident alleges that the organization “failed to take steps necessary to prevent such an attack and has to date refused to notify victims of this ransomware attack that their personal information was improperly accessed and stolen.” The complaint was filed by a plaintiff “John Doe” affected by the incident on behalf of himself and others in the same situation.

In its notification statement regarding the incident, PHC says its investigation has determined that the information involved may include certain individuals’ names, social security numbers, dates of birth, driver’s license numbers, phone numbers, identification, medical record numbers, treatments, diagnoses, prescriptions. and other medical information, health insurance information, member portal usernames/passwords, and email and physical addresses.

PHC did not immediately respond to ISMG’s request for comment.

Other Health Plan Incidents

The biggest health data breach ever reported by regulators to date was the 2014 cyberattack on the health plan Anthem Inc.which affected nearly 79 million people.

The breach of the anthem was also the subject of a $115 million settlement in 2018 of a consolidated class action – and a $16 million enforcement action in 2018 by federal regulators.

Other health plans that have suffered major health data breaches have also been hit with enforcement action by regulators.

For example, the New York Attorney General in January announced a settlement with an Ohio-based employee benefits provider. EyeMed vision care following a 2020 email hacking breach that affected 2.1 million people, including nearly 99,000 New Yorkers.