Post by ck4829 on Jun 3, 2023 9:41:10 GMT
"Medical debt collector data breach", what's up with that?
"Medical debt collector data breach" sure does scream "World's Greatest Healthcare", doesn't it?
Why does this happen?
WHY does this happen?
What makes this possible?
Should this be happening?
A ransomware attack on a debt collection firm is one of 2022’s biggest health data breaches
A ransomware attack on a little-known debt collection firm that serves hundreds of hospitals and medical facilities across the U.S. could be one of the biggest data breaches of personal and health information this year.
The Colorado-based Professional Finance Company, known as PFC, which contracts with “thousands” of organizations to process customer and patient unpaid bills and outstanding balances, disclosed on July 1 that it had been hit by ransomware months earlier in February.
PFC said in its data breach notice that more than 650 healthcare providers are affected by its ransomware attack, adding that the attackers took patient names, addresses, their outstanding balance and information relating to their account. PFC said that in “some cases” dates of birth, Social Security numbers and health insurance and medical treatment information were also taken by the attackers.
techcrunch.com/2022/07/13/pfc-ransomware-healthcare/
AG Shapiro Announces Multistate Settlement With American Medical Collection Agency Over 2019 Data Breach
Attorney General Josh Shapiro today announced that Pennsylvania, along with 41 Attorneys General, has settled with Retrieval-Masters Creditors Bureau, doing businesses as the American Medical Collection Agency (AMCA), resolving a multistate investigation into the 2019 data breach that exposed the personal information of over seven million individuals. AMCA served as the debt collector for LabCorp, Quest Diagnostics, and other medical service providers.
“American Medical Collection Agency failed in its responsibility to safeguard consumers’ sensitive healthcare information,” said Attorney General Shapiro. “They were repeatedly warned that there were serious flaws in their system, but still they did not take appropriate steps to fix it. They left their system vulnerable to a massive data breach, and the personal identifying information for millions of Americans was put at risk. This settlement ensures that American Medical Collection Agency must do the right thing and fix the security failures that led to a preventable data breach.”
Retrieval-Masters Creditors Bureau is a debt collection agency. Under the name American Medical Collection Agency, or AMCA, the company specialized in small balance medical debt collection primarily for laboratories and medical testing facilities. An unauthorized user gained access to AMCA’s internal system from August 1, 2018 through March 30, 2019. AMCA failed to detect the intrusion, despite warnings from banks that processed its payments. The unauthorized user was able to collect a wide variety of personal information, including Social Security numbers, payment card information, and, in some instances, names of medical tests and diagnostic codes.
www.attorneygeneral.gov/taking-action/ag-shapiro-announces-multistate-settlement-with-american-medical-collection-agency-over-2019-data-breach/
Medical Debt Collection Firm R1 RCM Hit in Ransomware Attack
R1 RCM Inc. [NASDAQ:RCM], one of the nation’s largest medical debt collection companies, has been hit in a ransomware attack.
R1 RCM acknowledged taking down its systems in response to a ransomware attack, but otherwise declined to comment for this story.
The “RCM” portion of its name refers to “revenue cycle management,” an industry which tracks profits throughout the life cycle of each patient, including patient registration, insurance and benefit verification, medical treatment documentation, and bill preparation and collection from patients.
The company has access to a wealth of personal, financial and medical information on tens of millions of patients, including names, dates of birth, Social Security numbers, billing information and medical diagnostic data.
krebsonsecurity.com/2020/08/medical-debt-collection-firm-r1-rcm-hit-in-ransomware-attack/
Minnesota AG Sues Debt Collection Agency for Health Privacy Violations
On January 19, 2012, Minnesota Attorney General Lori Swanson announced a lawsuit against Accretive Health, Inc., (“Accretive”) for violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its implementing regulations, the Minnesota Health Records Act, Minnesota’s debt collection statutes and Minnesota’s consumer protection laws. The suit, which was filed in Federal District Court in Minnesota, alleges that Accretive failed to adequately safeguard patients’ protected health information (“PHI”). This failure contributed to a July 2011 information security breach when an Accretive employee left an unencrypted laptop containing information of approximately 23,500 patients in a rental car. The laptop was stolen and has not yet been recovered.
Accretive, a licensed debt collector in Minnesota, provides revenue and cost management services to two Minnesota hospital systems by grading patients according to their risk of hospitalization, compiling profit and loss reports at the patient level, and identifying “real-time interventions with significant revenue or cost impact.” In providing these services to the hospitals, Accretive was a business associate pursuant to the HIPAA Privacy Rule and gained widespread access to patient PHI. This PHI included a patient’s name, address, Social Security number and medical condition, such as whether the patient suffers from depression, is HIV-positive or has diabetes.
In the complaint, Attorney General Swanson is requesting that the District Court enjoin Accretive from violating the HIPAA Security Rule, the Minnesota Health Records Act, Minnesota’s debt collection statutes and Minnesota’s consumer protection laws. The suit also requests statutory damages under HIPAA, the HITECH Act and Minnesota state law, and reasonable attorneys’ fees. Finally, the complaint requests that the court order Accretive to disclose to affected patients “the data that [Accretive] has about them, where and how such data is stored, including but not limited to whether it has been sent overseas, and how such data is utilized.”
www.huntonprivacyblog.com/2012/01/24/minnesota-ag-sues-debt-collection-agency-for-health-privacy-violations/
cococo.pbworks.com/w/page/150042537/%22Medical%20debt%20collector%20data%20breach%22%2C%20what%27s%20up%20with%20that
Medical Debt
"Medical debt collector data breach" sure does scream "World's Greatest Healthcare", doesn't it?
Why does this happen?
WHY does this happen?
What makes this possible?
Should this be happening?
A ransomware attack on a debt collection firm is one of 2022’s biggest health data breaches
A ransomware attack on a little-known debt collection firm that serves hundreds of hospitals and medical facilities across the U.S. could be one of the biggest data breaches of personal and health information this year.
The Colorado-based Professional Finance Company, known as PFC, which contracts with “thousands” of organizations to process customer and patient unpaid bills and outstanding balances, disclosed on July 1 that it had been hit by ransomware months earlier in February.
PFC said in its data breach notice that more than 650 healthcare providers are affected by its ransomware attack, adding that the attackers took patient names, addresses, their outstanding balance and information relating to their account. PFC said that in “some cases” dates of birth, Social Security numbers and health insurance and medical treatment information were also taken by the attackers.
techcrunch.com/2022/07/13/pfc-ransomware-healthcare/
AG Shapiro Announces Multistate Settlement With American Medical Collection Agency Over 2019 Data Breach
Attorney General Josh Shapiro today announced that Pennsylvania, along with 41 Attorneys General, has settled with Retrieval-Masters Creditors Bureau, doing businesses as the American Medical Collection Agency (AMCA), resolving a multistate investigation into the 2019 data breach that exposed the personal information of over seven million individuals. AMCA served as the debt collector for LabCorp, Quest Diagnostics, and other medical service providers.
“American Medical Collection Agency failed in its responsibility to safeguard consumers’ sensitive healthcare information,” said Attorney General Shapiro. “They were repeatedly warned that there were serious flaws in their system, but still they did not take appropriate steps to fix it. They left their system vulnerable to a massive data breach, and the personal identifying information for millions of Americans was put at risk. This settlement ensures that American Medical Collection Agency must do the right thing and fix the security failures that led to a preventable data breach.”
Retrieval-Masters Creditors Bureau is a debt collection agency. Under the name American Medical Collection Agency, or AMCA, the company specialized in small balance medical debt collection primarily for laboratories and medical testing facilities. An unauthorized user gained access to AMCA’s internal system from August 1, 2018 through March 30, 2019. AMCA failed to detect the intrusion, despite warnings from banks that processed its payments. The unauthorized user was able to collect a wide variety of personal information, including Social Security numbers, payment card information, and, in some instances, names of medical tests and diagnostic codes.
www.attorneygeneral.gov/taking-action/ag-shapiro-announces-multistate-settlement-with-american-medical-collection-agency-over-2019-data-breach/
Medical Debt Collection Firm R1 RCM Hit in Ransomware Attack
R1 RCM Inc. [NASDAQ:RCM], one of the nation’s largest medical debt collection companies, has been hit in a ransomware attack.
R1 RCM acknowledged taking down its systems in response to a ransomware attack, but otherwise declined to comment for this story.
The “RCM” portion of its name refers to “revenue cycle management,” an industry which tracks profits throughout the life cycle of each patient, including patient registration, insurance and benefit verification, medical treatment documentation, and bill preparation and collection from patients.
The company has access to a wealth of personal, financial and medical information on tens of millions of patients, including names, dates of birth, Social Security numbers, billing information and medical diagnostic data.
krebsonsecurity.com/2020/08/medical-debt-collection-firm-r1-rcm-hit-in-ransomware-attack/
Minnesota AG Sues Debt Collection Agency for Health Privacy Violations
On January 19, 2012, Minnesota Attorney General Lori Swanson announced a lawsuit against Accretive Health, Inc., (“Accretive”) for violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its implementing regulations, the Minnesota Health Records Act, Minnesota’s debt collection statutes and Minnesota’s consumer protection laws. The suit, which was filed in Federal District Court in Minnesota, alleges that Accretive failed to adequately safeguard patients’ protected health information (“PHI”). This failure contributed to a July 2011 information security breach when an Accretive employee left an unencrypted laptop containing information of approximately 23,500 patients in a rental car. The laptop was stolen and has not yet been recovered.
Accretive, a licensed debt collector in Minnesota, provides revenue and cost management services to two Minnesota hospital systems by grading patients according to their risk of hospitalization, compiling profit and loss reports at the patient level, and identifying “real-time interventions with significant revenue or cost impact.” In providing these services to the hospitals, Accretive was a business associate pursuant to the HIPAA Privacy Rule and gained widespread access to patient PHI. This PHI included a patient’s name, address, Social Security number and medical condition, such as whether the patient suffers from depression, is HIV-positive or has diabetes.
In the complaint, Attorney General Swanson is requesting that the District Court enjoin Accretive from violating the HIPAA Security Rule, the Minnesota Health Records Act, Minnesota’s debt collection statutes and Minnesota’s consumer protection laws. The suit also requests statutory damages under HIPAA, the HITECH Act and Minnesota state law, and reasonable attorneys’ fees. Finally, the complaint requests that the court order Accretive to disclose to affected patients “the data that [Accretive] has about them, where and how such data is stored, including but not limited to whether it has been sent overseas, and how such data is utilized.”
www.huntonprivacyblog.com/2012/01/24/minnesota-ag-sues-debt-collection-agency-for-health-privacy-violations/
cococo.pbworks.com/w/page/150042537/%22Medical%20debt%20collector%20data%20breach%22%2C%20what%27s%20up%20with%20that
Medical Debt