Cybercrime , Fraud Management & Cybercrime , Healthcare
Firm Says Medicare Info Obtained From DOJ Breached in Attack
Nearly 342,000 Affected; Health Data Incident Isn't Covered by HIPAA RulesA cyberattack on a Boston-based consulting firm that provides litigation support services to the U.S. Department of Justice in investigations has potentially compromised Medicare numbers and other health insurance and medical information of nearly 342,000 individuals.
See Also: Preparing for New Cybersecurity Reporting Requirements
Greylock McKinnon Associates in a report Friday to the state of Maine's attorney general said the incident involved "unusual activity" detected on the firm's internal network on May 30, 2023. GMA said it only received confirmation about which individuals' information was affected and obtained their contact addresses on Feb. 7, 2024, for notification.
Information affected in the incident includes individuals' personal and Medicare information such as name, birthdate, address, Medicare health insurance claim number - which contains a Social Security number associated with a member, and some medical information or health insurance information, GMA said.
The information compromised in the GMA attack was obtained from the Department of Justice as part of a civil litigation matter and services GMA provided to the DOJ in support of that work, the company's breach notice said. GMA deleted the DOJ data from its systems after the incident, the company said.
"DOJ has advised us that you are not the subject of this investigation or the associated litigation matters," GMA said in its breach notice to affected individuals. "The DOJ informed GMA that this incident does not impact your current Medicare benefits or coverage," the company added.
GMA said it is offering affected individuals 24 months of complimentary identity and credit monitoring monitoring.
Non-HIPAA Health Breaches
Experts said that while the GMA compromise does not appear to be a protected health information breach under federal HIPAA regulations - which, among other actions, requires notification of individuals within 60 days of breach discovery - the incident spotlights the serious privacy and cyber risks posed to health information handled by companies that fall outside the scope of HIPAA.
"Some think any health information breach violates HIPAA. HIPAA does not cover the GMA breach because GMA is not a covered entity or business associate," said regulatory attorney Paul Hales of the Hales Law Group.
HIPAA-covered entities include health plans, clearinghouses and certain healthcare providers, while HIPAA business associates are entities that perform functions, activities or services involving the use or disclosure of HIPAA-protected health information on behalf of a HIPAA-covered entity.
"Health information resides in a wide variety of organizations besides HIPAA-regulated entities," Hale said. GMA is a consulting firm that provides economic analysis and litigation support that can involve health-related information, he said.
"The DOJ's Civil Division investigates and litigates Medicare fraud and abuse cases," Hales said. It's possible that the information compromised in the GMA cyberattack involved one of those such cases, he said.
Neither an attorney representing GMA in the breach nor the Department of Justice immediately responded to Information Security Media Group's request for additional details and comment about the breach.
GMA is so far facing at least one proposed class action involving the breach, filed on March 29 in a Massachusetts federal court, alleging several claims. The case includes allegations of negligence by the company in failing to safeguard individuals' personal information, as well as violations of the Federal Trade Commission Act.
The lawsuit also alleges that GMA waited "an appalling nine months" after the data breach first occurred to finally begin notifying class members about the compromise.
"Personal health record and health app businesses, not regulated by HIPAA, handle a massive volume of personal health information," Hales said. "They are ripe targets for cyber thieves."
"In 2023, the FTC emerged as a significant enforcer of health privacy violations by non-HIPAA-regulated entities," he said (see: FTC Pushes Boundaries With Proposed Health Rule Change).
That includes the FTC in February 2023 taking its first-ever health breach rule enforcement action in a case against discount drug and telehealth provider GoodRx Holdings. A few months later, the FTC took a similar enforcement action against Easy Healthcare, the developer of fertility tracking app Premom. In each of those cases, the FTC said the companies should not have been sharing user information with third parties, including advertisers (see: FTC Fines Fertility App Vendor, Bars It From Data Sharing).
"Our economy is diverse. We need comprehensive national privacy legislation to address today's landscape and replace our piecemeal regulation of specific information types," Hales said.
"This GMA incident underscores America's chronic failure to establish a national personal privacy protection law like the European Union's General Data Protection Regulation," he said.
"Despite serious cybersecurity threats, Congress has not adopted comprehensive federal privacy legislation. Instead, we have a patchwork of industry-specific federal privacy laws enforced by multiple federal agencies," he said. "New state privacy laws add to the problem. They result in uneven privacy protections nationwide, confusion and additional compliance costs."
On Monday, a bipartisan pair of lawmakers from Washington state introduced in Congress the latest proposals for federal privacy legislation to address those and other related issues.
House Committee on Energy and Commerce Chair Cathy McMorris Rodgers, R-Wa., and Senate Committee on Commerce, Science and Transportation Chair Maria Cantwell, D-Wa., unveiled draft legislation for national data privacy protections - the American Privacy Rights Act.
Among other provisions, the legislation proposes to eliminate the patchwork of state laws by setting one national privacy standard; minimize the data that companies can collect, keep, and use; and provide consumers with control over where their personal information goes, including the ability to prevent the transfer or selling of their data (see: US Bipartisan Privacy Bill Contains Cybersecurity Mandates).