Sharecare Health Data Services has announced that an unauthorised individual gained access to some of its systems and sensitive patient data may have been compromised.
Sharecare Health Data Services (SHDS) provides secure electronic exchange and medical records management services for healthcare organisations. SHDS is based in San Diego.
The attack was discovered on June 26, 2018, when an employee at SHDS detected abnormal network activity. SHDS launched an investigation into the suspicious activity, which revealed that an unauthorised individual had gained access to a number of their systems, which contained protected health information (PHI).
Investigators determined that the hacker first gained access on May 21, 2018. When SHDS discovered the attack in June, they took immediate action to block the hacker from their system. Investigators determined that the hacker accessed PHI and exported it to locations outside the U.S.
SHDS contracted Mandiant, a cybersecurity forensic firm, to assist with the investigation. SHDS also reported the breach to the FBI, which launched its own investigation into the breach.
SHDS has taken measures to improve its security framework and mitigate the risk of future breaches of a similar nature. SHDS has reassessed its data retention policies and improved its maintenance communications and protocols. SHDS has hired a third-party firm to monitor its data systems around the clock as an extra precaution.
SHDS was extremely slow in notifying its clients of the breach. On December 31, 2018, more than five months after the incident occurred, SHDS alerted at least two healthcare organisations of the attack. SHDS has yet to explain the delay. HIPAA’s Breach Notification Rule states breach notifications should be issued without undue delay. It is unknown what the implications of this HIPAA violation will be for SHDS.
Department of Health and Human Services’ Office for Civil Rights’ breach portal has yet to be updated with information about the breach. Therefore, the extent of the breach is currently unknown.
Two organisations have notified the California Attorney General that they were affected by the breach; AltaMed Health Services Corporation and California Physicians’ Service.
AltaMed Health Services Corporation, based in Los Angeles, stated that the SHDS breach affected 5,767 of its patients. AltaMed’s breach notice to the California Attorney General stated that the breach was limited to names, addresses, birth dates, unique patient ID numbers, addresses where healthcare services were provided, and for some patients, internal SHDS processing notes and medical record numbers. The hacker did not access patient Social Security numbers, financial information, and detailed clinical information.
AltaMed Health notified its patients on February 15, 2019. The healthcare organisation have offered patients 12 months of credit monitoring and identity theft protection services without charge.
The California Physicians’ Service, doing business as Blue Shield of California stated the hacker gained access to patient names, addresses, birth dates, BlueShield ID numbers, addresses where healthcare services were provided, and for some patients, internal SHDS processing notes, medical record numbers, and provider names. Similarly, the organisation offered 12 months of credit monitoring and identity theft protection services to affected patients. Individuals that remain BlueShield members can renew these services annual. The organisation did not inform the California Attorney General of the number of patients affected by the breach.