A revenue cycle management firm in Indiana called Horizon Healthcare RCM has recently disclosed a significant data breach. The company reported that it suffered a ransomware attack with data exfiltration that occurred between December 25th and 27th. Attacks on these types of billing vendors are particularly damaging as they hold sensitive data for numerous clients. This single successful compromise may have exposed the personal and protected health information of a great many individuals.
The types of patient data involved in the security breach reportedly varied widely from one individual to another. The most common information included internal reference numbers and general health insurance claims processing and payment information. For some patients, medical record numbers were identified, while a much smaller group had more sensitive data exposed. This included Social Security numbers, financial account information, passport numbers, driver’s license numbers, and other personal contact details.
In a moment of transparency, Horizon frankly disclosed that a virus had encrypted its files during the incident.
The company’s notice strongly suggests that it paid a ransom demand to have the stolen information completely deleted. Horizon reported that it had arranged for the responsible party to delete the copied information from their systems. The firm did not however disclose which ransomware threat actor or group was actually responsible for the December attack.
The total number of patients who were ultimately affected by this data breach has not yet been publicly disclosed.
It is also currently unknown whether Horizon will be disclosing the breach to the government on behalf of its clients. Some of Horizon’s listed healthcare partners include major organizations like Ascension Health and the Bon Secours Health System. DataBreaches has not yet seen any corresponding breach reports from any of the company’s publicly listed healthcare partners.
Reference:
