Business Associate Notified Patients of PHI Theft 8 Months After Discovery of a Data Breach

Sharecare Health Data Services (SHDS) provides secure healthcare records management services to healthcare organizations. The San Diego company has recently alerted some of its clients about a hacking incident that resulted in the theft of sensitive information.

SHDS was alerted to a breach when unusual network activity was detected. An investigation was launched on June 26, 2018 which revealed hackers had accessed systems where patient data was stored. The hackers had access to its systems between May 21, 2018 and June 26, 2018. SHDS hired the cybersecurity company Mandiant to conduct a forensic investigation and the FBI was notified. The forensic investigation revealed patient health information had been extracted from its servers and sent to locations outside the United States.

To prevent further breaches, SHDS has enhanced its security, revised its data retention policies, improved maintenance communications and protocols for continuity, and has contracted a third-party company to provide round the clock monitoring for its data systems.

On December 31, 2018, SHDS notified at least two healthcare companies about the theft of patient data, 5 months after the breach was detected.

AltaMed Health Services Corporation in Los Angeles announced a breach of 5,767 patients’ data. In the breach notice submitted to the California Attorney General, AltaMed stated that the hackers obtained names, birth dates, addresses, unique patient ID numbers, and details of the locations where the patients obtained healthcare services. A limited number of patients also had their internal SHDS processing notes and medical record numbers stolen. No Social Security numbers, financial data, or clinical data were stolen. AltaMed notified the patients affected by the breach on February 15, 2019 and offered free one year of credit monitoring and identity theft protection services.

Blue Shield of California also informed the California Attorney General that it had been affected by the breach. The information stolen was limited to names, birth dates, addresses, Blue Shield ID numbers, and the locations where the patients obtained the healthcare services. For some patients, medical record numbers, internal SHDS processing notes and provider names were also stolen.  Blue Shield has offered affected persons one year of credit monitoring and identity theft protection services without charge. The protection services are renewable every year if the individuals remain members of Blue Shield. The exact number of affected people is presently not known.