Conifer hack compromises patient data from 6 hospitals
Photo: zf L/Getty Images
Dallas-based Conifer Revenue Cycle Solutions, which manages revenue and administrative services for healthcare providers, announced August 12 that it had been hacked January 20. The cyberattacker was able to access patient information associated with six hospitals.
WHY IT MATTERS
Conifer says it learned of the breach in April. After a cybersecurity review of the compromised Microsoft Office 365-hosted email account, the company informed affected Texas patients from San Antonio-based Baptist Health System; Resolute Health Hospital in New Braunfels; The Hospitals of Providence Memorial Campus in El Paso; and Valley Baptist Medical Centers in Brownsville and Harlingen. The vendor sent a separate notice to Alabama patients on behalf of Brookwood Baptist Medical Center in Birmingham.
Conifer's officials said the type of patient data compromised may have included identification information (such as full name, date of birth and home address), Social Security number, driver's license/state ID number and/or financial account information, medical and/or treatment information (such as medical record number, dates of service, provider and facility, diagnosis or symptom information and prescriptions) and health insurance and billing information.
"In response to this incident, Conifer immediately took action to block malicious IP addresses and URLs," the company said. "In addition, the password for the impacted account was reset shortly after the unauthorized access. Conifer has enhanced and continues to enhance its security controls and monitoring practices as appropriate to minimize the risk of any similar incident in the future, and Conifer accelerated its implementation of multifactor authentication for business email accounts within the environment."
THE LARGER TREND
Cybersecurity breaches of healthcare organizations pose the highest costs of any industry and require some of the lengthiest reviews to identify and contain security incidents.
Since January, there have been more than 400 incidents of cybersecurity breaches of unsecured protected health information affecting more than 500 people, according to the U.S. Department of Health and Human Services Office for Civil Rights case investigation list. The majority of incidents list network server and email breaches.
The Conifer breach affected 2,787 patients, according to OCR.
ON THE RECORD
"Based on a detailed review conducted between June 13, 2022, and August 3, 2022, it was determined that your personal information associated with a healthcare provider was in the impacted business email account," the Conifer statement said.
Email: afox@himss.org
Healthcare IT News is a HIMSS publication.