EVERSANA, a global commercial services provider to healthcare entities, has disclosed a data breach that occurred between between April 1 and July 3, 2019.  The breach reportedly affected patient data stored in a legacy technology environment, which has since been updated.

According to their notification, “Upon notification of unusual email activity, the firm immediately conducted a comprehensive review and confirmed that certain EVERSANA accounts were subject to unauthorized access through a legacy technology environment, which has since been updated, between April 1 and July 3, 2019.”

But when were they first notified of unusual email activity? And how were they notified? Was this discovered internally or did some external party contact them? And how many patients were impacted?

Eversana reports that they completed their investigation on or around February 7, 2020 and determined the types of information that were potentially accessible:

The types of information potentially accessible may include name, address, social security information, driver’s license/state identification number, passport number, tax identification number, financial account information, debit/credit card information, username and password, health information, treatment information, diagnosis, provider name, MRN/patient ID number, Medicare/Medicaid number, health insurance information, treatment cost information, and/or prescription information.

EVERSANA claims that they currently have no evidence that personal information was subject to actual or attempted misuse.

DataBreaches.net sent an inquiry as to when they first discovered unusual activity and how many patients are being notified, but no reply was received by publication time.  One of the queries concerned whether they are considered a business associate under HIPAA and whether they are reporting this incident to HHS/OCR.

This post will be updated if more information is received.