Episource, which develops analytics tools for healthcare providers, said it has begun informing patient victims of a health data breach as a result of a ransomware attack in February.
Customer Sharp Healthcare and Sharp Community Medical Group said that while the incident did not involve unauthorized access to its electronic health records or patient portals, its patients’ health insurance and health data were exposed.
WHY IT MATTERS
Episource, a medical coding, risk adjustment services and software company owned by UnitedHealth Group, said in a website notice that a forensic investigation confirmed there had been unauthorized access during a ransomware attack on its computer systems earlier this year and reported the incident to the California Attorney General on June 6.
The threat actors were able to access patient data held by the company’s healthcare provider and health plan customers between Jan. 27 and Feb. 6. The data that may have been seen or taken varies, Episource said.
“We learned from our investigation that a cybercriminal was able to see and take copies of some data in our computer systems,” Episource also said, adding, “Financial and banking information and payment cards largely were not impacted in this incident.”
Data that may have been exfiltrated includes personal contact information, health insurance plan data, medical diagnoses, test results, images and more protected patient health information.
Sharp confirmed in a breach notice now posted to its website that Episource first confirmed that the health system had been affected by the breach on April 24 and was now sending out patient breach notifications.
While the incident did not involve unauthorized access to electronic health records or patient portals, Sharp said, it worked closely with Episource to identify which of its patients were affected and what kinds of information were compromised.
Patients’ contact information and health insurance data, such as health plans, member and group ID numbers, and Medicaid-Medicare payer IDs may have been exfiltrated. Also exposed could be their health data – including doctors, diagnoses, medications, test results, images and treatment plans.
THE LARGER TREND
Last year, the attack on another UHG subsidiary – the health payment exchange Change Healthcare – hobbled providers’ payments for months.
That incident highlighted how vulnerable healthcare platforms with huge concentrations of valuable patient data are, with 190 million people affected. But it also proved how healthcare-related businesses that do not directly provide patient care face significant risk of being targeted by threat actors looking to cripple the healthcare delivery system patients rely on.
So far this year, there have been at least three such ransomware attacks, according to Comparitech, a firm researching U.S. and U.K. cybersecurity and online privacy. There have been another 24 unconfirmed attacks against healthcare-related companies that haven’t been publicly acknowledged, according to the firm’s blog post on Friday.
Just halfway through the year, these stats could mean the healthcare industry may exceed last year’s number of attacks on healthcare business associates. In 2024, 29 attacks on healthcare business associates compromised nearly 193 million patient records, the company said.
Of note, previous Comparitech research indicated that ransomware attacks on providers cost up to $900,000 per day on downtime alone, based on attacks that occurred over four years.
ON THE RECORD
“The information did not include any social security numbers, driver’s license or ID numbers, government ID numbers, bank account or credit/payment card information,” Sharp said in a statement.
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.
