The Medical Review Institute of America notifies patients of ransomware incident (updated)
The Medical Review Institute of America (“MRIoA”) collects protected health information (PHI) as part of providing clinical peer review for covered entities that request it (if the patient consents to provide info for the review).
MRIoA was hit with ransomware in November. And although they do not directly state that they paid ransom, it sounds like they did because their notification states that to the best of their ability and knowledge, they “retrieved and subsequently confirmed the deletion” of their information.
Do they really have any genuine belief that the data were deleted, when every expert has been saying for the past few years that criminals do not delete data, even though they swear they will delete and their word is good?
I wish entities would be a bit more realistic and tell people, “Look, we paid these b*stards a ton of money to get your data deleted, but the reality is that they probably didn’t delete it despite swearing they would, so take steps to protect yourself, and here’s how we will try to help you:…..”
You can read the full notification/press release on the Vermont Attorney General’s website at https://ago.vermont.gov/blog/2021/12/17/the-golub-corporation-data-breach-notice-to-consumers/
The incident has not (yet) appeared on HHS’s public breach tool.
On MRIoA’s site, however, under Privacy and Security, it says:
MRIoA takes the privacy and security of your information very seriously. MRIoA’s privacy and security program incorporates the HITRUST Common Security Framework (CSF) and associated standards/regulations referenced within, including HIPAA, HITECH, and state data and privacy laws. MRIoA maintains strict access controls including privileged access, file integrity monitoring, input validation and comprehensive audit logging, and ensures confidentiality of data by using AES-256 encryption for data at rest and TLS1.2 for data in transit.
So if data at rest were accessed and exfiltrated, had they been encrypted as promised? There is no mention of any of the compromised PHI being encrypted in MRIoA’s notification. It’s possible that attackers could encrypt over already encrypted data, but then, I would think the notification would have been sure to state that the data had been encrypted by MRIoA. DataBreaches.net sent an email inquiry to MRIoA last night asking about that and a few other questions, but no reply has been received as of the time of this publication.
Update: This incident was subsequently reported to the Maine Attorney General’s Office as impacting 134,571 people. MRIoA never responded to this site’s inquiry about whether the data had been encrypted at rest. Interestingly, though, their notification to Maine residents, a copy of which was provided to the Maine Attorney General’s Office, included a statement that the forensic investigation found that the threat actor(s) had gained access to its systems via a SonicWall vulnerability on November 2, 2021. DataBreaches.net does not know which SonicWall vulnerability this was, but wonders whether potential plaintiffs will claim that the firm did not patch promptly.
The notification to Maine residents also included an appendix listing all the MRIoA clients for whom it had provided this notification:
• Albertsons Companies
• AllWays Health Partners
• Ambetter from Home State Health
• Ambetter From Superior Health Plan
• Ambetter of North Carolina
• Blue Cross & Blue Shield of Rhode Island
• Blue Cross and Blue Shield of Minnesota
• Blue Cross Blue Shield of Illinois
• Blue Cross Blue Shield of New Jersey
• Blue Cross Blue Shield of Texas
• Cambia Health Solutions
• Capital Blue Cross
• CARY MEDICAL CENTER
• Florida Blue
• General Dynamics
• Genex Services, LLC
• Government Employees Health Association, Inc.
• Health New England
• Horizon Blue Cross Blue Shield of New Jersey
• Magellan Rx Medicare Basic PDP
• MAINEGENERAL HEALTH
• National Elevator Industry Health Benefit Plan
• NORTH AMERICA ADMINISTRATORS
• State of Maine Department of Administrative and Financial Services, Office of Employee
Health and Wellness
• SULLIVAN TIRE
• The Associates’ Health and Welfare Plan
• Twin Rivers Paper Company
• University of Arkansas Medical Benefit Plan
Update2: Superior HealthPlan has issued a notification.