Revenue Cycle Management Firms Data Breach Total Soars
p
3rd Party Risk Management
Data Breach Notification
Data Security
ppThe number of people affected by a March 2024 hack on a healthcare revenue cycle management and billing services provider has soared in recent weeks to more than 182 million as the company continues to file updated breach reports to state and federal regulatorsppSee Also OnDemand Transforming ThirdParty Cyber Risk Management From Compliance to Actionable Automated and RiskBased ProgramsppALN Medical Management which court documents indicate is based in Nebraska and was acquired in 2023 by Marylandbased Health Prime International filed several updated breach reports in recent days to state regulators including the attorneys general of Texas and California as well as to the US Department of Health and Human Services Office for Civil RightsppAs of March 28 a breach report ALN filed to HHS OCR in May 2024 said that 501 people a placeholder estimate were affected by the hackingIT incident involving a network server see Revenue Cycle Management Firm Hack Affects Patients Clients ppBut as of early Wednesday morning that ALN breach report to HHS OCR appeared updated in recent weeks stating that more than 132 million people were affected ppBut just a few hours later by midmorning on Wednesday HHS OCR appeared to have once again updated the ALN breach report this time stating the breach affected more than 182 million individualsppWith ALNs latest updated report to federal regulators the companys hacking incident shot up the ranks now landing as the 12th largest of all 734 health data breaches reported to HHS OCR in 2024 according to the agencys HIPAA Breach Reporting Tool website listing HIPAA breaches affecting 500 or more individualsppAs of Wednesday the ALN incident also ranked as the eighth largest of 222 health data breaches reported to HHS OCR in 2024 involving HIPAA business associatesppALN has been updating its breach reports to state regulators as well On May 27 ALN submitted an updated report to the Texas attorney general stating that 135268 Texans were among those affected Thats up from a March 24 report to the state attorney general saying that the companys hack affected 127113 TexansppALN in its breach notification said that in March 2024 the company identified suspicious activity related to systems being hosted by a thirdparty service provider ppALN did not identify the thirdparty service provider but the company said that ALNs internal IT systems were not affected by the incidentppThe investigation determined that certain files and folders within our thirdparty hosted environment were accessed or taken by an unauthorized actor between March 18 and March 24 2024 ALN saidppAffected information includes individuals Social Security number drivers license number governmentissued ID number including passport and state ID cards financial Information such as account number credit or debit card number medical information and health insurance informationppAs of Wednesday ALN faced at least 16 proposed federal class action lawsuits related to the breach alleging a variety claims against the company including negligence in the firm failing to protect individuals sensitive information from compromises by cybercriminalsppNeither ALN nor the firms parent company Health Prime International immediately responded to Information Security Media Groups requests for additional details and comment about the incidentppSome experts said the rising breach victim total in the ALN hack is not surprising Of top six revenue cycle management service providers in the US in the past 18 months three have experienced cyberattacks and another three in the past decade said Fred Langston executive vice president of professional services at security firm Lumifi CyberppOther similar vendor breaches ranging from last years cyberattack on health insurer UnitedHealth Groups Change Healthcare IT services unit to a hacking incident recently reported by medical debt collector Nationwide Recovery Service are among many other examples of thirdparty compromises affecting millions of individualsppPayers and medical collection agencies are a top target for hackers because they have valuable data on millions of people Langston saidppRegulatory attorney Paul Hales of the Hales Law Group offered a similar perspective The large scale of this breach is a product of modern healthcare which serves many people and depends on revenue cycle management vendors like ALN he said ppThese types of vendors hold patient information that fraudsters can use and they continually transmit the information to others raising exposure to vulnerabilities that allow infection by malicious software he said ppA large breach like the one at ALN also requires a lengthy process to identify affected individuals Hales said Establishing robust efficient audit trails should be prioritized to provide timely helpful breach notifications he suggestedppThird parties such as HIPAA business associates also often have added challenges when determining the extent of a breach said Eran Barak cofounder and CEO at security firm MindppThe difficulty lies in blind spots that are both technical and procedural Most thirdparty vendors lack comprehensive visibility into their data he saidppSensitive data could live across multiple environments cloud systems local storage SaaS platforms endpoints and email When a breach occurs its not just about what was accessed but about what type of data was exposed and whose data he saidppOften the process to determine of the exact number of people and their specific information exposed in major breaches is more of an art rather than a science some experts saidppMost entities are ultimately providing an estimate of how many records were exposed in the case of a large breach even after the conclusion of extensive forensic investigative activities Langston saidppTwo main factors play into this he said If you do not have full forensic records to document whose records were breached and sadly many organizations only learn they do not have sufficient logging to determine whose records were breached until after a breach happens you must assume and report that all records on the breached asset were exposed he saidppSecondly its commonly much cheaper and easier to assume all records on a breached asset are exposed as forensic investigations to identify every stolen record are very expensive tedious prone to error and may turn out showing that all records were exposed anyways he said Its faster cheaper and easier to just assume all records were exposedppRegardless of those and other challenges the bottom line is that many healthcare sector organizations need to beef up their data security and privacy programs Hales saidppThe healthcare industry must improve its basic HIPAA compliance including analyzing and managing risks to patient information security he said Confidentiality is a bedrock of ethical healthcare and a barrier to class action lawsuits ppExecutive Editor HealthcareInfoSecurity ISMGppMcGee is executive editor of Information Security Media Groups HealthcareInfoSecuritycom media site She has about 30 years of IT journalism experience with a focus on healthcare information technology issues for more than 15 years Before joining ISMG in 2012 she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeeks healthcare IT media sitepp
ppCovering topics in risk management compliance fraud and information securityppBy submitting this form you agree to our Privacy GDPR Statementppwhitepaperppwhitepaperppwhitepaperppwhitepaperpp3rd Party Risk ManagementppData PrivacyppIncident Breach ResponseppEventspp3rd Party Risk ManagementppContinue pp
90 minutes Premium OnDemand
ppOverviewppFrom heightened risks to increased regulations senior leaders at all levels are pressured to
improve their organizations risk management capabilities But no one is showing them how
until nowppLearn the fundamentals of developing a risk management program from the man who wrote the book
on the topic Ron Ross computer scientist for the National Institute of Standards and
Technology In an exclusive presentation Ross lead author of NIST Special Publication 80037
the bible of risk assessment and management will share his unique insights on how toppSr Computer Scientist Information Security Researcher
National Institute of Standards and Technology NISTppWas added to your briefcaseppRevenue Cycle Management Firms Data Breach Total SoarsppRevenue Cycle Management Firms Data Breach Total Soarspp
Just to prove you are a human please solve the equation
ppSign in now ppNeed help registering
Contact support
ppComplete your profile and stay up to dateppContact Support ppCreate an ISMG account now ppCreate an ISMG account now ppNeed help registering
Contact support
ppSign in now ppNeed help registering
Contact support
ppSign in now ppOur website uses cookies Cookies enable us to provide the best experience possible and help us understand how visitors use our website By browsing bankinfosecuritycom you agree to our use of cookiesp
3rd Party Risk Management
Data Breach Notification
Data Security
ppThe number of people affected by a March 2024 hack on a healthcare revenue cycle management and billing services provider has soared in recent weeks to more than 182 million as the company continues to file updated breach reports to state and federal regulatorsppSee Also OnDemand Transforming ThirdParty Cyber Risk Management From Compliance to Actionable Automated and RiskBased ProgramsppALN Medical Management which court documents indicate is based in Nebraska and was acquired in 2023 by Marylandbased Health Prime International filed several updated breach reports in recent days to state regulators including the attorneys general of Texas and California as well as to the US Department of Health and Human Services Office for Civil RightsppAs of March 28 a breach report ALN filed to HHS OCR in May 2024 said that 501 people a placeholder estimate were affected by the hackingIT incident involving a network server see Revenue Cycle Management Firm Hack Affects Patients Clients ppBut as of early Wednesday morning that ALN breach report to HHS OCR appeared updated in recent weeks stating that more than 132 million people were affected ppBut just a few hours later by midmorning on Wednesday HHS OCR appeared to have once again updated the ALN breach report this time stating the breach affected more than 182 million individualsppWith ALNs latest updated report to federal regulators the companys hacking incident shot up the ranks now landing as the 12th largest of all 734 health data breaches reported to HHS OCR in 2024 according to the agencys HIPAA Breach Reporting Tool website listing HIPAA breaches affecting 500 or more individualsppAs of Wednesday the ALN incident also ranked as the eighth largest of 222 health data breaches reported to HHS OCR in 2024 involving HIPAA business associatesppALN has been updating its breach reports to state regulators as well On May 27 ALN submitted an updated report to the Texas attorney general stating that 135268 Texans were among those affected Thats up from a March 24 report to the state attorney general saying that the companys hack affected 127113 TexansppALN in its breach notification said that in March 2024 the company identified suspicious activity related to systems being hosted by a thirdparty service provider ppALN did not identify the thirdparty service provider but the company said that ALNs internal IT systems were not affected by the incidentppThe investigation determined that certain files and folders within our thirdparty hosted environment were accessed or taken by an unauthorized actor between March 18 and March 24 2024 ALN saidppAffected information includes individuals Social Security number drivers license number governmentissued ID number including passport and state ID cards financial Information such as account number credit or debit card number medical information and health insurance informationppAs of Wednesday ALN faced at least 16 proposed federal class action lawsuits related to the breach alleging a variety claims against the company including negligence in the firm failing to protect individuals sensitive information from compromises by cybercriminalsppNeither ALN nor the firms parent company Health Prime International immediately responded to Information Security Media Groups requests for additional details and comment about the incidentppSome experts said the rising breach victim total in the ALN hack is not surprising Of top six revenue cycle management service providers in the US in the past 18 months three have experienced cyberattacks and another three in the past decade said Fred Langston executive vice president of professional services at security firm Lumifi CyberppOther similar vendor breaches ranging from last years cyberattack on health insurer UnitedHealth Groups Change Healthcare IT services unit to a hacking incident recently reported by medical debt collector Nationwide Recovery Service are among many other examples of thirdparty compromises affecting millions of individualsppPayers and medical collection agencies are a top target for hackers because they have valuable data on millions of people Langston saidppRegulatory attorney Paul Hales of the Hales Law Group offered a similar perspective The large scale of this breach is a product of modern healthcare which serves many people and depends on revenue cycle management vendors like ALN he said ppThese types of vendors hold patient information that fraudsters can use and they continually transmit the information to others raising exposure to vulnerabilities that allow infection by malicious software he said ppA large breach like the one at ALN also requires a lengthy process to identify affected individuals Hales said Establishing robust efficient audit trails should be prioritized to provide timely helpful breach notifications he suggestedppThird parties such as HIPAA business associates also often have added challenges when determining the extent of a breach said Eran Barak cofounder and CEO at security firm MindppThe difficulty lies in blind spots that are both technical and procedural Most thirdparty vendors lack comprehensive visibility into their data he saidppSensitive data could live across multiple environments cloud systems local storage SaaS platforms endpoints and email When a breach occurs its not just about what was accessed but about what type of data was exposed and whose data he saidppOften the process to determine of the exact number of people and their specific information exposed in major breaches is more of an art rather than a science some experts saidppMost entities are ultimately providing an estimate of how many records were exposed in the case of a large breach even after the conclusion of extensive forensic investigative activities Langston saidppTwo main factors play into this he said If you do not have full forensic records to document whose records were breached and sadly many organizations only learn they do not have sufficient logging to determine whose records were breached until after a breach happens you must assume and report that all records on the breached asset were exposed he saidppSecondly its commonly much cheaper and easier to assume all records on a breached asset are exposed as forensic investigations to identify every stolen record are very expensive tedious prone to error and may turn out showing that all records were exposed anyways he said Its faster cheaper and easier to just assume all records were exposedppRegardless of those and other challenges the bottom line is that many healthcare sector organizations need to beef up their data security and privacy programs Hales saidppThe healthcare industry must improve its basic HIPAA compliance including analyzing and managing risks to patient information security he said Confidentiality is a bedrock of ethical healthcare and a barrier to class action lawsuits ppExecutive Editor HealthcareInfoSecurity ISMGppMcGee is executive editor of Information Security Media Groups HealthcareInfoSecuritycom media site She has about 30 years of IT journalism experience with a focus on healthcare information technology issues for more than 15 years Before joining ISMG in 2012 she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeeks healthcare IT media sitepp
ppCovering topics in risk management compliance fraud and information securityppBy submitting this form you agree to our Privacy GDPR Statementppwhitepaperppwhitepaperppwhitepaperppwhitepaperpp3rd Party Risk ManagementppData PrivacyppIncident Breach ResponseppEventspp3rd Party Risk ManagementppContinue pp
90 minutes Premium OnDemand
ppOverviewppFrom heightened risks to increased regulations senior leaders at all levels are pressured to
improve their organizations risk management capabilities But no one is showing them how
until nowppLearn the fundamentals of developing a risk management program from the man who wrote the book
on the topic Ron Ross computer scientist for the National Institute of Standards and
Technology In an exclusive presentation Ross lead author of NIST Special Publication 80037
the bible of risk assessment and management will share his unique insights on how toppSr Computer Scientist Information Security Researcher
National Institute of Standards and Technology NISTppWas added to your briefcaseppRevenue Cycle Management Firms Data Breach Total SoarsppRevenue Cycle Management Firms Data Breach Total Soarspp
Just to prove you are a human please solve the equation
ppSign in now ppNeed help registering
Contact support
ppComplete your profile and stay up to dateppContact Support ppCreate an ISMG account now ppCreate an ISMG account now ppNeed help registering
Contact support
ppSign in now ppNeed help registering
Contact support
ppSign in now ppOur website uses cookies Cookies enable us to provide the best experience possible and help us understand how visitors use our website By browsing bankinfosecuritycom you agree to our use of cookiesp
