Posted On November 24, 2022 Consumer Privacy & Data Breaches
On November 21, 2022, Hope Health Systems, Inc. (“HHS”) filed notice of a data breach with the U.S. Department of Health and Human Services Office for Civil Rights experiencing what appears to have been a ransomware attack compromising sensitive patient data stored on the company’s computer network. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to patients’ names, addresses, dates of birth, Social Security numbers, driver’s license numbers, health insurance information, and medical information. After confirming that consumer data was leaked, HHS began sending out data breach notification letters to all individuals who were impacted by the recent data security incident.
If you received a data breach notification, it is essential you understand what is at risk. The data breach lawyers at Console & Associates, P.C. are actively investigating the HHS data breach on behalf of people whose information was exposed. As a part of this investigation, we are providing free consultations to anyone affected by the breach who is interested in learning more about the risks of identity theft, what they can do to protect themselves, and what their legal options may be to obtain compensation from Hope Health Systems, Inc.
The information regarding the Hope Health Systems breach comes from the U.S. Department of Health and Human Services Office for Civil Rights Breach Portal as well as a notice posted on the Hope Health Systems’ website. According to these sources, on June 20, 2022, HHS first learned of a possible cybersecurity event when portions of the company’s computer network were encrypted.
In response, HHS began working with an outside cybersecurity firm to investigate the incident and determine what, if any, patient data was compromised as a result. The HHS investigation confirmed that an unauthorized party was able to access the company’s computer network starting on June 10, 2022. On August 24, 2022, the investigation also revealed that some of the encrypted files contained sensitive information belonging to certain patients, although HHS could not confirm that the unauthorized party actually viewed, accessed, or removed the data.
Upon discovering that sensitive consumer data was made available to an unauthorized party, Hope Health Systems began to review the affected files to determine what information was compromised and which consumers were impacted. The company completed this process on October 18, 2022. While the breached information varies depending on the individual, it may include your name, address, date of birth, Social Security number, driver’s license number, health insurance information, and medical information.
On November 21, 2022, Hope Health Systems sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.
Founded in 1999, Hope Health Systems, Inc. is a private, for-profit mental health services provider based in Woodlawn, Maryland. The company provides direct mental health, substance abuse, and community support services to adults, children, and minors in institutional and outpatient settings through three Maryland locations in Woodlawn, Greenspring, and Carroll County. HHS also provides administrative management and research consulting services. Hope Health Systems employs more than 134 people and generates approximately $36 million in annual revenue.
Hope Health Systems, Inc. reported that the recent data security incident affected a significant amount of patient data. Among the data that was leaked were patients’ names, Social Security numbers, medical information, and health insurance information. This information is considered “protected health information,” which is defined as any identifying information relating to a patient’s past, present or future health condition or how a patient pays for their healthcare.
Healthcare-related data, on its own, isn’t necessarily protected health information. However, if healthcare data also contains one or more “identifiers” that can be used to pair up the data with a specific patient, it is considered “protected health information.” Identifiers include names, Social Security numbers, addresses, or anything else that can be used to connect a patient to the leaked information. Often, as is the case in the HHS breach, health-related data is leaked alongside patients’ names and Social Security numbers, meaning the information is protected health information.
The harms that can stem from a data breach involving protected health information can be more severe than those associated with a traditional data breach. As with the case in other types of data breaches, the data obtained through a healthcare data breach provides the hacker with the information they need to commit identity theft or other frauds. However, identity theft following a healthcare data breach is often much worse and more difficult to resolve.
For example, cybercriminals will often orchestrate these attacks in hopes of accessing valuable health-related information they can then sell to a third party. The third-party purchases this information intending to use it to obtain medical care in the victim’s name. This carries financial consequences for the victim because either their insurance gets billed or, if they do not have insurance, they receive the bill themselves.
The other more serious risk is that the person who seeks treatment in your name provides the treating doctor with information about themselves that ends up in your medical record. For example, a fraudulent patient may provide a doctor with a list of their allergies or medications. This could mean the next time you go to the doctor; they have incorrect information in your file.
At Console & Associates, P.C., our consumer privacy lawyers monitor all security and data breaches to help affected consumers pursue their legal remedies. We offer free consultations to victims of data breaches and can explain your rights in clear, understandable terms so you can make an informed decision about how to proceed with your case. If you’ve been affected by the HHS data breach or any other data security incident, Console & Associates, P.C., will investigate your case at no charge and offer you thorough advice about how to most effectively proceed with your case. If you decide to bring a case, we only get paid if you do. If your claim is successful, any legal fees are either paid by the defendant or come out of the funds recovered from the defendant. If your claim doesn’t result in a recovery, you will pay nothing.
To schedule your free consultation, just call (866) 778-5500 today or fill out our secure contact form.
Below is a copy of the initial data breach letter issued by Hope Health Systems, Inc. (the actual notice sent to consumers can be found here):
Dear [Redacted],
Hope Health Systems Inc. (“HHS”), recently became aware of potentially suspicious activity within certain HHS computer systems that may have impacted the privacy of certain consumer information. HHS took immediate steps to investigate the nature and scope of the event. HHS is issuing this notice to provide information about the incident and steps potentially impacted individuals may take to protect against misuse of their information, where appropriate.
WHAT HAPPENED?
On June 20, 2022, HHS discovered encrypted files on certain computer systems. They immediately launched an investigation with the assistance of third-party cybersecurity and digital forensic specialists to determine the nature and scope of the incident. The investigation determined that there was unauthorized access to certain HHS servers beginning on June 10, 2022. On or about August 24, 2022, HHS determined it was unable to rule out unauthorized access to data stored on its affected systems. The investigation found no evidence that specific information was actually viewed by an unauthorized individual, but the investigation was unable to rule this activity out with absolute certainty. As access to data stored within their system could not be ruled out, they immediately undertook a review of the data at issue. This process completed on or about October 18, 2022. While HHS does not have any evidence of misuse of any consumer information in connection with this incident, out of an abundance of caution, HHS is providing notice of the event so potentially affected individuals may take steps to better protect their personal information, should they feel it is appropriate to do so.
WHAT INFORMATION WAS INVOLVED?
The information potentially at risk varies by individual. HHS continues efforts to notify potentially affected individuals directly. While those efforts remain underway, the consumer information potentially at risk may include the following types of information: name, address, date of birth, Social Security number, driver’s license number, health insurance information, and medical information.
WHAT IS HHS DOING?
Information security remains one of the highest priorities for HHS. HHS is evaluating its existing policies, procedures, and processes, including those related to cybersecurity, to determine whether additional measures are appropriate in an effort to reduce the likelihood of a similar future event.
WHAT CAN I DO?
HHS will provide direct notice to potentially affected individuals for whom we have address information beginning on or about November 21, 2022. Additional information is included in that notice. We encourage all persons who receive services from HHS and their caregivers to remain vigilant against incidents of identity theft and fraud by regularly reviewing account statements, explanation of benefits forms, and free credit reports for suspicious activity and to detect errors. You may also review and consider the information and resources outlined in the below “Steps Individuals Can Take To Help Protect Their Information.
FOR MORE INFORMATION.
We understand that individuals may have questions that are not addressed in this notice. Should individuals have questions regarding this event, they may call a dedicated assistance line at 1-833-896-4932, which is available Monday through Friday, 9 a.m. to 9 p.m. Eastern Time. Individuals may also write to HHS at 1726 Whitehead Road, Suite 106, Gwynn Oak, Maryland 21207.
