Health Data Analytics Company Submits 1.1-Million Record Data Breach Report

Berry, Dunn, McNeil & Parker, LLC (BerryDunn), an accounting and consulting company based in Portland, ME filed a data breach report with the Maine Attorney General that affected the personal data of 1,107,354 people. BerryDunn is a health data analytics services provider to healthcare companies, medical insurance companies, and government regulatory and healthcare policy organizations. To carry out its contracted services, its clients give BerryDunn access to personal and health information.

BerryDunn’s Health Analytics Practice Group (HAPG) worked with a managed service provider (MSP) known as Reliable Networks of Maine, LLC, which handles systems for HAPG. Based on BerryDunn’s breach notice, Reliable Networks informed HAPG on September 14, 2023 about the suspicious activity it identified on its system, which include the systems it handles for HAPG. BerryDunn promptly started its incident response procedures and engaged third-party cybersecurity specialists to investigate and identify the degree to which client information was affected.

Based on the notification BerryDunn sent to the Maine Attorney General, the investigation discovered an unauthorized actor acquired access to Reliable’s system and stole some information saved on the HAPG systems.

BerryDunn’s investigation revealed that a threat actor acquired access to the system and stole information from the HAPG systems managed by the MSP. A vendor was hired to perform an analysis of the impacted files, and that procedure was finished on April 2, 2024. The compromised or stolen data during the incident contained names, addresses, birth dates, Social Security numbers, medical insurance policy numbers, Medicaid or Medicare numbers, passport numbers, state or governmental ID numbers, and medical data. In compliance with the HIPAA breach notification rules, notification letters were sent to the impacted persons on April 25, 2024, and free credit monitoring and identity theft protection services were provided to the impacted people including a $1 million identity theft reimbursement plan.

The number of BerryDunn clients is uncertain. BerryDunn has reported the decommissioning of all systems controlled by Reliable Networks and transferred all HAPG information to safe internal BerryDunn servers. The servers are steadily checked for unauthorized access following its cybersecurity plan.

Reliable Networks has offered a statement concerning the unauthorized access and data breach and stated that BerryDunn’s systems were viewed by an unauthorized third party, and not the systems of Reliable Networks. Reliable Networks is frustrated in Berry Dunn’s judgment to blame Reliable Networks for the incidents that took place. For many years, Reliable Networks has provided Berry Dunn with technology consultation assistance, maintenance and monitoring services, and on-demand IT help and training for Berry Dunn’s systems. Berry Dunn, however, failed to keep Reliable Networks as its cybersecurity prevention/protection supplier. As mentioned by Berry Dunn in its Notice, while carrying out its network monitoring services, Reliable Networks detected suspicious activity impacting Berry Dunn’s system, and immediately notified Berry Dunn of this activity. However, the data breach didn’t happen on Reliable Networks’ system, nor in its internal networks. Moreover, none of Reliable Networks’ other clients’ networks were affected by this data breach.

Author: Daniel Lopez

Daniel Lopez is the HIPAA trainer behind HIPAA Coach and the HIPAA subject matter expert for Daniel has over 10 years experience as a HIPAA coach. Daniel provides his HIPAA expertise on several publications including Healthcare IT Journal and The HIPAA Guide. Daniel has studied Health Information Management before focusing his career on HIPAA compliance and protecting patient privacy. You can follow Daniel on Twitter / X