PracticeFirst Data Breach (2020)

A supply chain ransomware attack affecting more than 1.2 million individuals is among the largest health data breaches reported to federal regulators so far this year. See Also: Live Webinar | How to Stop the Four Horsemen of the Data Loss Apocalypse Practicefirst, an Amherst, New York-based medical management services provider, on July 1 reported to federal regulators a breach that occurred late last year. The company's breach notification statement appears to indicate that the firm paid a ransom in exchange for promises that the attackers would destroy and not further disclose files stolen in the incident. The Department of Health and Human Services' HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals shows that Practicefirst reported the incident as affecting the information of more than 1.2 million. As of Tuesday, the Practicefirst incident was the sixth-largest health data breach posted on the HHS website so far in 2021. Ransomware Attack In its breach notification statement, Practicefirst says that on Dec. 30, 2020, it "learned that an unauthorized actor who attempted to deploy ransomware to encrypt our systems copied some files from our system, including files that contain limited patient and employee personal information." Upon learning of the situation, the company says it shut down its systems, changed passwords, alerted law enforcement agencies and retained privacy and security experts to assist. "The information copied from our system by the unauthorized actor before it was permanently deleted, included … name, address, email address, date of birth, driver’s license number, Social Security number, diagnosis, laboratory and treatment information, patient identification number, medication information, health insurance identification and claims information, tax identification number, employee username with password, employee username with security questions and answers, and bank account and/or credit card/debit card information," Practicefirst says. "We are not aware of any fraud or misuse of any of the information as a result of this incident," the company says. "The actor who took the copy has advised that the information is destroyed and was not shared." Many security experts stress that such promises by hackers cannot be trusted. "Cybercriminals who infiltrate information systems are not reputable or reliable. By their nature, they will lie, cheat and steal," says privacy attorney David Holtzman of consulting firm HITprivacy LLC. "Vendors to healthcare organizations should be transparent to the public and to the organizations contracted with those providers to make clear statements as to what happened, what data may have been compromised and what steps they are taking to notify the organizations they serve of the data that was put at risk." Practicefirst says it implemented measures "to further improve the security of our systems and practices." That includes additional security protocols designed to protect its network, email environment and systems. The company did not immediately respond to Information Security Media Group's request for additional details about the incident, including the reason for the delay in reporting it and the number of healthcare provider clients affected.