Posted On November 30, 2022 Consumer Privacy & Data Breaches
On November 22, 2022, Mena Regional Health System filed notice of a data breach with the U.S. Department of Health and Human Services Office for Civil Rights after learning that an unauthorized party accessed its computer system and removed a limited number of files containing sensitive patient information. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ full names, Social Security numbers and protected health information. After confirming that consumer data was leaked, MRHS began sending out data breach notification letters to all individuals who were impacted by the recent data security incident.
If you received a data breach notification, it is essential you understand what is at risk. The data breach lawyers at Console & Associates, P.C. are actively investigating the MRHS data breach on behalf of people whose information was exposed. As a part of this investigation, we are providing free consultations to anyone affected by the breach who is interested in learning more about the risks of identity theft, what they can do to protect themselves, and what their legal options may be to obtain compensation from Mena Regional Health System.
The available information regarding the Mena Regional Health System breach comes from the company’s filing with the U.S. Department of Health and Human Services Office for Civil Rights, as well as the notice posted on the MRHS website. According to these sources, MRHS recently learned that its computer systems were accessed by an unauthorized party. In response, the company alerted law enforcement and then launched an investigation into the incident with the assistance of cybersecurity experts in hopes of learning what, if any, patient information was leaked as a result.
The MRHS investigation confirmed that an unauthorized party was able to access portions of the company’s computer system containing patients’ sensitive information.
Upon discovering that confidential patient data was accessible to an unauthorized party, Mena Regional Health System began to review the affected files to determine what information was compromised and which consumers were impacted. While the breached information varies depending on the individual, it may include your name, date of birth, Social Security number, driver’s license number, government identification number, financial account information, medical record number, patient account number, medical diagnosis and treatment information, medical provider names, lab results, prescription information, and health insurance information.
On November 22, 2022, Mena Regional Health System sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.
Mena Regional Health System is a healthcare system based in Mena, Arkansas. The organization serves Polk County, as well as the rest of western Arkansas and eastern Oklahoma. MRHS operates both in- and out-patient facilities, including acute care medical and surgical services, a six-bed ICU, labor and delivery, Mena Senior Behavioral Health Center and Mena Rehabilitation Center, Ouachita Rehabilitation Center, as well as dermatology, cardiology, ophthalmology and urology clinics. Mena Regional Health System employs more than 76 people and generates approximately $14 million in annual revenue.
We know that the Mena Regional Health System data breach leaked patients’ protected health information based on the notice posted on the organization’s website. However, few patients realize the importance of this information and what criminals can do with it. Read on to learn more about healthcare data breaches.
Mena Regional Health System is far from the only healthcare provider that has recently reported a data breach. In fact, healthcare providers have been one of the most targeted organizations in 2022, with more than 2.5 million patients having their information leaked this year alone. As cybercriminals and other bad actors continue to focus their efforts on obtaining patients’ protected health information, it is important for victims of a healthcare data breach to understand what is at risk and what their options are.
The first step to protecting yourself is to answer the question, “what is protected health information?” Protected health information, or PHI, is demographic information, test and laboratory results, medical history information, insurance information, mental health information or any other data that healthcare providers collect during the course of a patient’s treatment.
The collection and use of protected health information is controlled by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). However, under HIPAA, not all healthcare-related information is considered “protected”—it is only when the leaked data also contains an identifier that it is considered PHI. This is because, without an identifier, there is no way for anyone to connect data back to a specific patient.
There are 18 different identifiers outlined in HIPAA, including a patient’s:
Of course, your health is very personal, as is any related healthcare information. And, based on this reason alone, healthcare data breaches are concerning. However, aside from an invasion of privacy, these incidents also put you at risk of experiencing financial—and even physical—harm.
In the worst-case scenario, hackers who obtain a patient’s protected health information sell the information on the dark web to another person who is looking to receive medical care without paying for it. Once they purchase your information, they steal your identity, going to the doctor’s office pretending to be you. This not only leaves you responsible for the “fake patient’s” medical bills, but it can also lead to misleading and incorrect information being added to your medical records. For example, when the doctor asks the “fake patient” about their current list of medications or past medical condition, they will provide their own information to ensure they receive the appropriate treatment.
Healthcare data breaches such as the MRHS breach are very serious, and anyone who receives notice of such a breach should immediately reach out to a data breach lawyer for assistance.
At Console & Associates, P.C., our consumer privacy lawyers monitor all security and data breaches to help affected consumers pursue their legal remedies. We offer free consultations to victims of data breaches and can explain your rights in clear, understandable terms so you can make an informed decision about how to proceed with your case. If you’ve been affected by the MRHS data breach or any other data security incident, Console & Associates, P.C., will investigate your case at no charge and offer you thorough advice about how to most effectively proceed with your case. If you decide to bring a case, we only get paid if you do. If your claim is successful, any legal fees are either paid by the defendant or come out of the funds recovered from the defendant. If your claim doesn’t result in a recovery, you will pay nothing.
Below is a copy of the initial data breach letter issued by Mena Regional Health System (the actual notice sent to consumers can be found here):
The privacy and security of the personal information we maintain is of the utmost importance to the Mena Regional Health System (“MRHS”).
MRHS determined that an unauthorized party removed a limited number of files from our system. Upon detecting the incident, MRHS commenced an immediate and thorough investigation and alerted law enforcement. As part of our investigation, MRHS engaged leading cybersecurity experts to identify what personal information, if any, might have been present in the impacted files.
After an extensive forensic investigation and manual document review, MRHS discovered on November 8, 2022 that one or more of the files removed by the unauthorized party on or about October 30, 2021 contained personal information pertaining to a limited number of individuals, such as full names, dates of birth, Social Security numbers, driver’s license/government identification numbers, financial account information, medical record/patient account number(s), medical diagnosis/treatment information, medical provider name(s), lab results, prescription information, and health insurance information.
MRHS is not aware of any reports of identity fraud or improper use of personal information as a direct result of this incident. However, out of abundance of caution, commencing on November 22, 2022 MRHS notified individuals whose information may have been included in the files accessed by the unauthorized party. Notified individuals have been provided with best practices to protect their information, and individuals whose Social Security numbers were contained in the impacted files have been offered complimentary credit monitoring.
MRHS is committed to maintaining the privacy of personal information in its possession and has taken many precautions to safeguard it. MRHS continually evaluates and modifies its practices to enhance the security and privacy of the personal information it maintains.
For individuals who have questions or need additional information regarding this incident, or to determine if they are impacted and are eligible for credit monitoring, MRHS has established a dedicated toll-free response line at 1-833-896-5650. The response line is available Monday through Friday, 8 a.m. to 8 p.m. Central Time.