Posted On February 4, 2022 Consumer Privacy & Data Breaches
February 4, 2022 – Cyberthreats remain a hot topic, as the number of reported data breaches and other cyberattacks continues to grow with each new week. One of the most recent data breaches involves Medical Review Institute of America, a healthcare-related company based in Salt Lake City, Utah.
According to Medical Review Institute of America (“MRIoA”), on November 9, 2021, the company learned that it was the victim of a “sophisticated cyber-attack.” A few days later, MRIoA discovered that the attack resulted in an unauthorized party viewing, accessing and obtaining certain information demographic, clinical and financial information of more than 134,000 individuals.
Cyberattacks such as the MRIoA data breach are increasingly common. They also raise major concerns for consumers whose information is compromised. In many cases, a data security incident such as this one is the result of a hacker breaching a company’s computers to view, and possibly steal, consumer information. While no one knows why Medical Review Institute of America was targeted in the recent cyber-attack, it is not uncommon for cybercriminals to seek out companies that have weak or otherwise inadequate data security systems.
Once a cybercriminal breaches a computer network, they can access and remove sensitive consumer information from the compromised systems. Often, companies can identify which files were accessible by the unauthorized party; however, they typically will not be able to confirm which of the compromised files were viewed by a hacker or whether a hacker removed any of the data contained in those files.
The fact that your information was leaked in the Medical Review Institute of America data leak does not necessarily mean someone will steal your identity. However, it is a possibility that should not be ruled out. Given the risks that come along with having your personal information exposed, those in receipt of a MRIoA data breach notification letter should ensure they take the necessary steps to limit the risks of identity theft or other financial losses.
When allowed Medical Review Institute of America access to your personal, financial and health data, you trusted the company to keep this sensitive information secure. Certainly, anyone in your shoes would assume that a company such as MRIoA would take whatever steps were necessary address the many cyberthreats in today’s high-tech environment. However, news of the Medical Review Institute of America data breach raises some very serious questions about the company’s data security measures and whether more could have been done to prevent the breach.
Companies have an ethical and legal obligation to protect the sensitive employee information in their possession. While developing a strong data security system comes at a high cost, this is a necessary cost of doing business in an environment where cyberattacks, network intrusions and other data security events are common.
The U.S. consumer privacy and data breach laws allow consumers to pursue data breach lawsuits against companies that misuse or mishandle their personal information. However, because news of the Medical Review Institute of America data breach is still very recent, and details about the incident are still emerging, there is not yet any evidence suggesting that Medical Review Institute of America was responsible for the breach. However, our data breach attorneys are investigating the Medical Review Institute of America data security incident and its potential causes to determine the legal remedies those affected by the MRIoA breach may have against the company.
If you have questions about your ability to pursue a data breach class action lawsuit against Medical Review Institute of America, contact a data breach attorney as soon as possible.
If you have received a data breach notification letter from Medical Review Institute of America, it means that your sensitive data was compromised in the recent cyber-security event. This means that a hacker or other criminal actor may have accessed, viewed, and stolen your personal data. While some hacking events never result in any harm to consumers, unfortunately, you won’t know there is a problem until it’s too late. Thus, it is crucial that you remain vigilant by taking the following steps:
Medical Review Institute of America, Inc. (“MRIoA”) is a medical review company based in Salt Lake City, Utah. The company provides external health-care-related reviews on behalf of insurance companies and similarly situated clients. MRIoA provides independent reviews of a wide range of claims, including medical, dental, behavioral health, pharmacy, vision, disability, workers’ compensation, and auto claims. The purpose of an MRIoA review is to obtain a second opinion for an insurance company to use when making compensability decisions. The company operates across 150 different specialties and employs a staff consisting of more than 700 reviewers, 35 doctors, 30 nurses, and 40 pharmacists.
According to Medical Review Institute of America (“MRIoA”), on November 9, 2021, the company learned that it was the victim of a “sophisticated cyber-attack.” A few days later, on November 12, 2021, MRIoA discovered that an unauthorized party viewed, accessed and obtained certain information demographic, clinical and financial information on November 2, 2021. Evidently, the hacker exploited a SonicWall vulnerability to orchestrate the attack. The information compromised as a result of the data breach includes the following:
Medical Review Institute of America reports that as many as 134,571 individuals were impacted by this data security event. However, the company cannot yet determine what exact information was obtained by the unauthorized party. Following a subsequent investigation, the Medical Review Institute of America “retrieved and subsequently confirmed the deletion of the obtained information.”
On January 7, 2021, MRIoA sent data breach notification letters to those whose information was affected by the breach. These “Security Breach Notifications” explain the details of the breach and provide consumers with recommended steps to limit their risks. MRIoA maintains that it is unaware of any instance in which the hacker used the data obtained. However, affected individuals should keep a lookout for signs of identity theft and fraud by closely monitoring their online accounts and credit reports.
Below is a copy of the initial data breach letter issued by Medical Review Institute of America (a sample of the actual notice sent to consumers can be found here):
At the Medical Review Institute of America (“MRIoA”), we value transparency and respect the privacy of your information, which is why, as a precautionary measure, we are writing to let you know about a data security incident that involves your protected personal information, what we did in response, and steps you can take to protect yourself against possible misuse of the information. Please note that you are receiving this letter because <<b2b_text_1 (Covered Entity)>> provided us information to facilitate a clinical peer review of a health care service you requested or received.
On November 9, 2021, we learned that we were the victim of a sophisticated cyber-attack. Once we found out, we quickly took steps to secure and safely restore our systems and operations. Further, we immediately engaged third-party forensic and incident response experts to conduct a thorough investigation of the incident’s nature and scope and assist in the remediation efforts. We also contacted the FBI to inform them of the incident and seek guidance. On November 12, 2021, we discovered that the incident involved the unauthorized acquisition of information.
On November 16, 2021, to the best of our ability and knowledge, we retrieved and subsequently confirmed the deletion of the obtained information. Our investigation into the cause of the incident is ongoing. However, once we retrieved the information, we began determining the individuals impacted in the incident. Further, based on a comprehensive review, we discovered that your protected health information was included in the incident. However, as of now, we have no evidence indicating misuse of any of your information.
What Information Was Involved
The types of protected health information potentially involved (only if this information was provided to MRIoA by the organization named above) are your demographic information (i.e., first and last name, gender, home address, phone number, email address, date of birth, and social security number); clinical information (i.e., medical history/diagnosis/ treatment, dates of service, lab test results, prescription information, provider name, medical account number, or anything similar in your medical file and/or record); and financial information (i.e., health insurance policy and group plan number, group plan provider, claim information).
What We Are Doing
As explained above, we took immediate steps to secure our systems and engaged third-party forensic experts to assist in the investigation. Further, in response to this incident, we implemented and/or are continuing to implement additional cybersecurity safeguards to our existing robust infrastructure to better minimize the likelihood of this type of event occurring again, including: