Posted On October 26, 2022 Consumer Privacy & Data Breaches
On September 23, 2022, various anesthesiologist practices across the United States filed notices of a data breach with the U.S. Department of Health and Human Services Office for Civil Rights. About a month later, several of the same practices filed notice of a breach with the Montana Attorney General. Based on the companies’ official filings, the incident resulted in an unauthorized party gaining access to consumers’ names, Social Security numbers, dates of birth, driver’s license numbers, financial account information, health insurance policy numbers, Medical Record Numbers, Medicaid or Medicare identification numbers, and health information such as treatment and diagnosis info. After confirming that consumer data was leaked, these practices, named individually below, began sending out data breach notification letters to all individuals who were impacted by the recent data security incident.
If you received a data breach notification from an anesthesiology practice, it is essential you understand what is at risk. The data breach lawyers at Console & Associates, P.C. are actively investigating these anesthesiologist data breaches on behalf of patients whose information was exposed. As a part of this investigation, we are providing free consultations to anyone affected by the breach who is interested in learning more about the risks of identity theft, what they can do to protect themselves, and what their legal options may be to obtain compensation from the responsible party or parties.
The available information regarding the various anesthesiologist breaches comes from the companies’ filings with the Attorney General of Montana and, to a lesser extent, with the U.S. Department of Health and Human Services Office for Civil Rights.
On September 23, 2022, the following anesthesiologist practices filed notice with the U.S. Department of Health and Human Services Office for Civil Rights:
However, the information provided on the HHS OCR page is limited, and all that could be gleaned from the posting was that the breaches all involved a “hacking / IT incident” of a network server.
Subsequently, on October 24, 2022, several of the same organizations filed notice of a breach with the Attorney General of Montana, including:
The Montana Attorney General’s website provides links to the data breach letters sent to affected patients, which gives additional details about the incident. Interestingly, all of the anesthesiology practices that reported a breach with the Montana AG uploaded identical letters outlining the same basic facts.
Evidently, on September 22, 2022, each of the practices was informed that its management company detected unusual activity within its computer network. The incident giving rise to the breach occurred on or around July 11, 2022. The letter explains that the management company provides administrative services to the filing entity, which is presumably how the management company came into possession of patient data.
After noticing the unusual activity, the management company secured its system and enlisted the assistance of a third-party data security firm to investigate the incident. The company’s investigation confirmed that there was unauthorized access to patient information.
Upon discovering that sensitive consumer data was made available to an unauthorized party, the management company began to review the affected files to determine what information was compromised and which consumers were impacted. While the breached information varies depending on the individual, it may include your name, Social Security number, date of birth, driver’s license number, financial account information, health insurance policy number, Medical Record Number, Medicaid or Medicare identification number, and health information such as treatment and diagnosis information.
Subsequently, each of the anesthesia practices sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident. In total, it appears that there were over 386,000 people affected by these data breaches.
Based on the data breach letters, it would appear that the breach originated at the management company and that the individual anesthesiology practices servers were not subject to unauthorized access. However, one important fact that is missing in each of the data breach letters is the name of the management company—nowhere is the company listed by name, with the letter only referring to the company as the “management company.”
However, because 15 anesthesiologist practices all reported a breach with the HHS OCR on the same day, and six of the same practices provided identical data breach letters a month later, it would appear that it is the same management company involved with each of the breaches. While it cannot be confirmed at this point, through independent research, Console & Associates, P.C. has identified a large anesthesia practice management group that has ties to many of the practices that filed notice of the breach. However, until that company comes forward and acknowledges its role in these data breaches, there is still some level of speculation.
At Console & Associates, P.C., our consumer privacy lawyers monitor all security and data breaches to help affected consumers pursue their legal remedies. We offer free consultations to victims of data breaches and can explain your rights in clear, understandable terms so you can make an informed decision about how to proceed with your case. If you’ve been affected by an anesthesiology practice data breach or any other data security incident, Console & Associates, P.C., will investigate your case at no charge and offer you thorough advice about how to most effectively proceed with your case. If you decide to bring a case, we only get paid if you do. If your claim is successful, any legal fees are either paid by the defendant or come out of the funds recovered from the defendant. If your claim doesn’t result in a recovery, you will pay nothing.
Below is a copy of the initial data breach letter issued by one of the anesthesia practices (the actual notice sent to consumers can be found here):
On September 22, 2022, [Redacted] learned from its management company of suspicious activity that impacted the management company’s ability to access some of its systems. The management company provides administrative services to the [Redacted] and may have your protected health information stored on its systems in the performance of these services.
On July 11, 2022, [Redacted] management company identified suspicious activity on its systems. The management company immediately implemented its incident response protocols, disconnected all systems, and engaged external cybersecurity experts to conduct a forensic investigation. The investigation found that some information stored on the management company’s systems may have been compromised. The management company then reviewed the potentially impacted information to identify any protected health information that may have been affected. This review was recently completed, at which point we determined that your protected health information has been affected.
What Information Was Involved?
Impacted information may include your name, Social Security number, and some combination of the following data elements: date of birth, driver’s license number, financial account information, health insurance policy number, Medical Record Number, Medicaid or Medicare ID, and health information such as treatment and diagnosis info.
What Are We Doing?
The management company has assured us that they have taken steps to prevent a similar incident in the future, including conducting a global password reset, tightening firewall restrictions, and implementing endpoint threat detection and response monitoring software on workstations and servers.
In addition, we are offering identity theft protection services through IDX, the data breach and recovery services expert. IDX identity protection services include: [Redacted] months of credit and CyberScan monitoring, a $1,000,000 insurance reimbursement policy, and fully managed id theft recovery services. With this protection, IDX will help you resolve issues if your identity is compromised.
What You Can Do:
We encourage you to contact IDX with any questions and to enroll in free identity protection services by calling 1-833-764- 2864 or going to [Redacted] and using the Enrollment Code provided above. IDX representatives are available Monday through Friday from 9 am – 9 pm Eastern Time. Please note the deadline to enroll is January 24, 2023.
You will find detailed instructions for enrollment on the enclosed Recommended Steps document. Also, you will need to reference the enrollment code at the top of this letter when calling or enrolling online, so please do not discard this letter.
Again, at this time, there is no evidence that your information has been misused. However, we encourage you to take full advantage of this service offering. IDX representatives have been fully versed on the incident and can answer questions or concerns you may have regarding protection of your personal information. We also encourage you to vigilantly monitor your financial statements and credit report and immediately report any suspicious activity.
For More Information:
If you have any questions or concerns, please call 1-833-764-2864 Monday through Friday from 9 am – 9 pm Eastern Time. The trust of our patients is important to us, and we deeply regret any inconvenience or concern that this incident may cause.