Nearly One Million Patient Records of Hospitals, Health Clinics, Medical Laboratories, and other Providers Stolen in Ransomware Attack on Medical Records Company
Clinical labs should proactively investigate how a vendor will respond to a data security incident and how quickly, says expert
Clinical laboratory managers in New York and surrounding areas should be aware that almost one million protected health information (PHI) records from as many as 28 healthcare providers appear to have been stolen from a medical records company that services these providers.
Practice Resources LLC (PRL), a company that provides billing services for dozens of hospitals and medical providers in Central New York, announced in August they were the target of a ransomware attack that occurred on April 12 of this year. The Syracuse-based organization stated that hackers may have captured personally identifiable information (PII) such as names, home addresses, treatment dates, health plan numbers, and internal account numbers of 934,138 patients.
The data breach affected the patient records of dozens of medical providers and the clinical laboratories that service them, as well as physical therapists, pediatricians, gynecologists, orthopedic surgeons, and more.
Dark Daily’s sister publication The Dark Report covered a similar 2019 data breach in “Labs Should Heed Lessons from Huge Data Breach.”
“When a lab’s vendor has some type of breach, the lab entity that provided the compromised information could have some liability related to the breach,” explained Jim Giszczak, JD (above), McDonald Hopkins, in an interview with The Dark Report over a similar data breach in 2019. “That’s why every lab should be proactive and do a review to understand each vendor’s policies, procedures, training, and response in the event of a breach. Because your lab needs to know how a vendor will respond to a data security incident, and importantly, how quickly it will respond, it’s critical for lab officials to review the contracts they have with vendors that acquire, or have access to, PHI.” (Photo copyright: McDonald Hopkins.)
Not a Scam
“Unfortunately, it’s not a scam,” stated David Barletta, President and CEO of PRL, in an interview with local Syracuse news WSYR. “This really did happen in April—there was a ransomware attack on our system. We brought in forensic accountants and forensic information teams to come and look at what happened.”
PRL sent out more than 940,000 letters to potential victims of the cyberattack in August, noting that some patients may receive more than one letter.
The complete list of “healthcare entities on whose behalf Practice Resources LLC is providing notice of data incident,” according to PRL, includes:
- Achieve Physical Therapy, PC
- CNY Obstetrics and Gynecology, P.C.
- Community Memorial Hospital, Inc
- Crouse Health Hospital, Inc
- Crouse Medical Practice PLLC
- Family Care Medical Group, PC
- Fitness Forum Physical Therapy, PC
- FLH Medical, PC
- Guidone Physical Therapy, PC
- Hamilton Orthopedic Surgery and Sports Medicine
- Helendale Dermatological and Medical Spa, PLLC
- Kudos Medical, PLLC
- Laboratory Alliance of Central New York, LLC
- Liverpool Physical Therapy, PC
- Michael J Paciorek, MD, PC
- Nephrology Associates of Watertown, PC
- Nephrology Hypertension Associates of CNY, PC
- Orthopedics East, PC
- Salvation Army
- Soldiers and Sailors Memorial Hospital Physician Practices
- St. Joseph’s Medical
- Surgical Care West, PLLC
- Syracuse Endoscopy Associates, LLC
- Syracuse Gastroenterological Associates, PC
- Syracuse Pediatrics
- Tully Physical Therapy
- Upstate Community Medical, PC
Although their investigation did not uncover any evidence that personal data was misused, PRL has arranged credit monitoring services free of charge for one year from the date of enrollment. The company is also offering proactive fraud assistance to help people with any questions or in case they become a victim of fraud.
“There were no patient social security numbers that were taken. No medical record information was taken,” Barletta told WSYR. “We really, just out of an abundance of caution, felt that it was necessary that we provide them with credit monitoring for a year—just in case.”
Hundreds of Thousands of Patients Affected by Breach
When PRL discovered the data breach, the company took immediate steps to secure its systems and scrutinize the nature and extent of the incident. They then hired a forensic team to investigate what patient data may have been accessed by the hackers, a process that took several months.
“It does take a long time because each client has hundreds of thousands of patients maybe,” Barletta explained. “We have several large clients that really bore the brunt of this.”
According to Barletta, PRL bills about $450 million annually for its clients, which include some major institutions in Central New York. The New York state Attorney General’s office is investigating the hacking incident and delving into whether PRL’s data security was adequate.
As a result of the breach, FamilyCare Medical Group, which serves more than 80 physicians and thousands of patients, lost all of its laboratory data, according to the group’s CEO, Mitchell Brodey, MD. They had to close their lab for several months while their computer system was rebuilt. During this time, all their lab work was sent to another laboratory for analysis, MSN reported.
The PRL ransomware attack was what is commonly known as a third-party data breach. This type of breach occurs when sensitive data is stolen from a third-party vendor, or when their systems are used to access and steal sensitive information stored on other systems.
In the United States, the Federal Trade Commission (FTC) is responsible for enforcing federal privacy and data protection regulations. If a breach affects 500 or more individuals, the company must issue a press release and notify the FTC and all affected consumers within 60 days of the discovery of the breach.
Clinical Labs Should Proactively Review Member Agreements
In 2019, our sister publication The Dark Report covered a major data breach affecting more than 20 million patients. That breach occurred when hackers gained access to the data systems of a third-party bill collector and impacted four of the nation’s largest clinical laboratories:
- BioReference Laboratories,
- Laboratory Corporation of America,
- Quest Diagnostics, and
- Sunrise Laboratories.
At that time, The Dark Report asked James Giszczak, JD, Chair of the Litigation Department and Co-Chair of the Data Privacy and Cybersecurity Practice Group at McDonald Hopkins, to provide insight on what steps clinical laboratory leaders should take to avoid and handle data breaches.
“One important lesson from this data breach is how critical it is for clinical labs and pathology groups to be proactive in making sure they review their vendor agreements,” Giszczak stated. “In that review, labs need to know the specific measures each vendor is taking to protect the information the lab is providing to their vendors.”
Giszczak suggested that clinical laboratory leaders make sure they understand each vendor’s policies, procedures, training, and response in the event of a data breach. He reiterated that labs could have some liability related to the breach.