Sharecare Health Data Services (SHDS), a San Diego firm that provides secure electronic exchange and medical records management services for healthcare groups, has contacted some of its clients to advise them that hackers gained access to parts of its systems that contained sensitive patient data.
SHDS discovered abnormal network activity on June 26, 2018, leading to an in-depth investigation. The investigation showed cyber criminals obtained access to systems containing protected health information as early as May 21, 2018. Access remained open until June 26, 2018, during which time PHI was accessed and downloaded by the hackers to locations outside the U.S.
SHDS hired a cybersecurity firm Mandiant to help with the forensic investigation of the breach. The breach was also made known to the FBI and SHDS has been assisting with its investigation.
SHDS has since implemented new measures to enhance security and prevent further breaches. Data retention policies have been revised, maintenance communications and protocols have been strengthened to ensure continuity across its network, and SHDS has contracted a third-party firm to provide 24/7 monitoring of its data systems.
On December 31, 2018, Sharecare Health Data Services alerted at least two healthcare groups that their data had potentially been accessed due to the attack – Mover five months after the discovery of the breach. No reason for the delayed notification has been given.
Los Angeles-based healthcare supplier AltaMed Health Services Corporation has announced that almost 6,000 patients were impacted by the breach. In its breach notice to the California Attorney General, AltaMed said the information obtained by the hackers was resticted to names, addresses, birth dates, unique patient ID numbers, addresses where healthcare services were given, and for some patients, internal SHDS processing notes and medical record numbers. Social Security numbers, financial data, and detailed clinical information were not obtained in the attack. Patients impacted by the breach were alerted on February 15, 2019 and have been offered 12 months of credit monitoring and identity theft protection services for free.
The California Physicians’ Service, operating as Blue Shield of California, has also alerted the California Attorney General about the breach. Blue Shield of California members impaced by the breach have had the following information stolen: Names, addresses, birth dates, BlueShield ID numbers, addresses where healthcare services were given, and for some patients, internal SHDS processing memos, medical record numbers, and provider identities. 12 months of credit monitoring and identity theft protection services have also been offered for free. Those services can be renewed annually for individuals that remain BlueShield clients.
According to the breach summary published on the OCR website, 18,416 Blue Shield of California subscribers have had their PHI exposed due to the SHDS breach.
It is currently not confirmed how many other healthcare clients have been affected by the SHDS breach.