On August 12, 2022, Conifer Revenue Cycle Solutions, LLC provided notice of a data breach stemming from an unauthorized party gaining access to an employee email account. According to Conifer, the breach resulted in the names, dates of birth, addresses, Social Security numbers, driver’s license numbers, medical and treatment information, health insurance information and billing information of certain individuals being compromised. After confirming the breach and identifying all affected parties, Conifer Revenue Cycle Solutions began sending out data breach letters to all affected parties.
If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Conifer Revenue Cycle Solutions data breach, please see our recent piece on the topic here.
What We Know About the Conifer Revenue Cycle Solutions Data Breach
The information about the Conifer Revenue Cycle Solutions, LLC data breach comes from several notices provided by the company. According to the most current information, on April 14, 2022, Conifer learned that an unauthorized party had gained access to an employee’s email account. In response, Conifer secured its systems and then enlisted the assistance of a data security firm to assist with an investigation into the incident.
The company’s investigation confirmed that an unauthorized party was able to gain access to the affected email account on January 20, 2022. The investigation also revealed that the files accessible to the unauthorized party contained sensitive information pertaining to patients of multiple healthcare providers, specifically:
Baptist Health System
Resolute Health Hospital
The Hospitals of Providence Memorial Campus
Valley Baptist Medical Center – Brownsville
Valley Baptist Medical Center – Harlingen
In separate data breach letters, Conifer confirmed that the data breach also impacted patients of St. Francis Hospital and Hilton Head Hospital.
Upon discovering that sensitive consumer data was accessible to an unauthorized party, Conifer Revenue Cycle Solutions began the process of reviewing all affected files to determine what information was compromised and which consumers were impacted by the incident. While the breached information varies depending on the individual, it may include your name, date of birth, address, Social Security number, driver’s license number, medical and treatment information, health insurance information and billing information.
On August 12, 2022, Conifer Revenue Cycle Solutions sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.
More Information About Conifer Revenue Cycle Solutions, LLC
Founded in 2008, Conifer Revenue Cycle Solutions, LLC is a business services company based in Frisco, Texas. The company provides managed business services specifically to health systems, managing more than $25 billion in net patient revenue per year. Conifer Revenue Cycle Solutions employs more than 10,915 people and generates approximately $1 billion in annual revenue.
Determining Liability in a Third-Party Data Breach
The Conifer Revenue Cycle Solutions, LLC data breach was what is known as a third-party data breach. The term third-party data breach is used to describe an incident where the breached company is not the same company that received the leaked information from the consumer. Here, Conifer provided business services to several hospitals and, in this capacity, had access to sensitive information. Thus, when Conifer’s systems were breached, it exposed the information of patients, many of which probably had no idea that a company named “Conifer Revenue Cycle Solutions, LLC” had access to their information.
In a situation like this, determining which company is liable for a data breach can be complex, and consumers whose information was leaked may not know where to look for answers.
As a general rule, any company that maintains, stores, transmits or receives consumer data has a legal obligation to the consumer, regardless of whether the company that was breached received the information directly from a consumer. In fact, for the most part, it does not matter how a company comes into possession of consumer or employee data. Instead, the question is whether the company that was hacked or otherwise leaked the information was negligent.
Turning to the Conifer data breach, based on the company’s data breach letters, it would appear that, if any organization is liable, it would be Conifer. However, because the investigation into the recent breach is still in its infancy, it is too soon to tell if the breach was the result of the company’s negligence.
However, as a general matter, in the context of a data breach lawsuit, a company may be financially responsible for victims’ harms if the victims can prove the following elements:
The organization owed the victim a duty of care;
The organization breached the duty it owed to the victim;
The organization’s negligence caused or contributed to the victim’s harms (i.e., identity theft or other frauds); and
The victim suffered economic or non-economic injury as a result.
While this sounds straightforward, proving these elements can be difficult, especially in a case like this where the breached data was shared from one company to another. An experienced data breach lawyer can assist victims of the Conifer Revenue Cycle Solutions, LLC data breach in assessing their options and determining whether they may have a legal claim against either company.