The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Receivables Performance Management Data Breach Affects More Than 3.7 Million Individuals

Posted By on Dec 12, 2022

Data breaches have recently been reported by Acuity Brands in Georgia, San Gorgonio Memorial Hospital in California, and Receivables Performance Management in Washington. The latter appears to have affected more than 3.7 million individuals.

Receivables Performance Management

Receivables Performance Management (RPM) in Lynnwood, WA, a business associate of several HIPAA-covered entities, has recently started notifying individuals affected by a 2021 ransomware attack. The incident was detected on May 12, 2021, with the investigation confirming its systems were first breached on April 8, 2021. Files only started to be encrypted on May 12.

RPM said it was able to stop the attack and restore its systems within 36 hours and retained a computer forensics firm to investigate the breach and determine the nature and scope of the attack; however, it took until October 2, 2022, to determine the types of information and individuals affected. RPM said that the length of time it took to fully investigate the breach was due to the complexities of RPM’s server infrastructure. RPM said it “obtained confirmation to the best of its ability that the information is no longer in the possession of the third party(ies) associated with this incident.”

RPM said personal information was potentially compromised, including Social Security numbers. Affected individuals are being offered complimentary credit monitoring services. RPM said it is continuing to work with security experts to improve its defenses to prevent similar breaches in the future. At this stage, the number of people affected by the breach has yet to be confirmed. The breach report submitted to the Maine Attorney general indicates 3,766,573 individuals have been affected in total, with approximately 500,000 of those individuals residing in Texas. The incident is not yet appearing on the HHS’ Office for Civil Rights breach portal.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Acuity Brands

Acuity Brands, a lighting and building management firm in Georgia, has announced that unauthorized individuals had access to its network on December 7 and December 8, 2021, and exfiltrated some files. While investigating that breach, Acuity Brands discovered an earlier security breach that occurred on October 6 and October 7, 2020, and in that earlier incident, unauthorized individuals had attempted to copy files from its systems.

A review of all documents potentially accessed in both incidents was then conducted, which revealed the files included the information of current and former employees and members of its health plan. The incident was limited to employees. No customer information was compromised.

Both incidents resulted in the exposure and possible theft of files containing names, Social Security numbers, driver’s license numbers, financial account information, and limited health information related to other aspects of an individual’s employment with Acuity, such as injury information related to workers compensation claims, or related to requests for leave under the Family and Medical Leave Act. The types of information involved varied from individual to individual. Complimentary memberships to credit monitoring services are being offered to eligible individuals. Additional safeguards have been implemented to prevent further data breaches.

The HHS’ Office for Civil Rights breach portal indicates 20,849 individuals have been affected.

San Gorgonio Memorial Hospital

San Gorgonio Memorial Hospital in Banning, CA, has started notifying certain patients about a computer intrusion and data theft incident. A security incident was detected on November 10, 2022, and prompt action was taken to isolate and shut down its systems. The forensic investigation confirmed that an unauthorized individual gained access to its network on October 29, 2022, with access confirmed as terminating on November 10. During that period of access, files were copied from its systems, and on November 14, 2022, it was confirmed that those files contained patient information.

A prompt notification was sent to the California Attorney General, although the document review and investigation are ongoing. It has been confirmed that the documents contained information such as names, addresses, birth dates, medical record numbers, visit ID numbers, health insurance information, and/or clinical information, including diagnosis and treatment information.

San Gorgonio Memorial Hospital said additional safeguards have been implemented to prevent further data breaches.  The incident has been reported to the HHS’ Office for Civil Rights as affecting 16,846 individuals.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist