Genesis Health Care, Inc. Reports Data Breach Following Period of Unauthorized Access

Console and Associates, P.C.
Contact

On September 2, 2022, Genesis Health Care, Inc. reported a data breach with the Office of the Montana Attorney General after the company discovered that an unauthorized party had access to its computer system for a period of nearly three months. While the company did not mention the type of information that was leaked as a result of the incident, under state reporting guidelines, a company only needs to report a breach if it involved consumers’ Social Security numbers, financial account information, protected health information or driver’s license numbers or state identification numbers. Thus, while it cannot be confirmed, it would appear that the Radiant Logistics breach involved one or more of these data types. After confirming the breach and identifying all affected parties, Genesis Health Care began sending out data breach letters to all affected parties.

If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Genesis Health Care data breach, please see our recent piece on the topic here.

What We Know About the Genesis Health Care Data Breach

The information about the Genesis Health Care, Inc. data breach comes from the Office of the Montana Attorney General. According to this source, on around April 11, 2022, Genesis detected suspicious activity within its computer network. In response, the company secured its computer systems, reported the incident to law enforcement, and then reached out to an outside cybersecurity firm to assist with the company’s investigation.

On June 9, 2022, the Genesis investigation confirmed that an unauthorized party had gained access to the company’s network on January 19, 2022, which lasted until the company discovered the intrusion on April 11, 2022. The company’s investigation also revealed that some of the files that were accessible by the unauthorized party contained sensitive consumer information.

Upon discovering that sensitive consumer data was accessible to an unauthorized party, Genesis Health Care began the process of reviewing all affected files to determine what information was compromised and which consumers were impacted by the incident. While the notice filed with the Montana AG does not outline the specific data types that were leaked, based on state reporting requirements, it is likely that the breach impacted Social Security numbers; protected health information; financial account information; or driver’s license numbers or state identification numbers.

On September 2, 2022, Genesis Health Care sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.

More Information About Genesis Health Care, Inc.

Genesis Health Care, Inc. is a nonprofit FQHC (Federally Qualified Health Center) healthcare provider based in Columbia, South Carolina. The company operates the following practices, all in the Pee Dee area of South Carolina:

  • Pee Dee Health Care

  • Olanta Family Care

  • Professional Pharmacy of Olanta

  • Lamar Family Care

  • Genesis Health Care

  • Florence Walterboro Family Care

  • Valcourt Pediatric Associates

  • Genesis Health Care Darlington

  • Professional Pharmacy of Darlington

  • Specialty Pharmacy

Genesis Health Care also operates Walterboro Family Care Center in nearby Walterboro, SC. The company provides a wide range of services to its patients, including primary care, preventative care, OB/GYN, lab diagnostics and pediatrics.

Did the Genesis Health Care Breach Involve Protected Health Information?

We know that the Genesis Health Care data breach affected sensitive patient information. However, because the company did not publicly release the specific data types that were compromised as a result of the incident, we cannot confirm the extent of the information that was leaked. That said, based on the nature of the company’s business in the healthcare industry, it is possible that the breach compromised patients’ protected health information.

Protected health information is any healthcare data that relates to a patient’s past or current health condition or how a patient pays or plans to pay for their healthcare. For example, blood test or CT scan results, details about an insurance claim, or a list of a patient’s current medications can all be considered protected health information.

However, healthcare-related data is not always considered protected. Under HIPAA, healthcare-related data is PHI if it contains one or more identifiers. Thus, if test results were leaked but did not contain an identifier, there would be no way for anyone to connect those results to the patient, and the data would not be considered PHI.

An identifier is an additional piece of information included along with the breached data that allows someone to match the data to a specific patient. Common identifiers include patients’ names, email addresses, physical addresses, photographs, fingerprints, or Social Security numbers. Thus, from a patient’s perspective, the fact that data is considered protected health information means that anyone who comes into possession of the leaked data will have sufficient information to carry out healthcare identity fraud.

Healthcare identity theft is similar to other types of identity theft because it involves an unauthorized person using another’s data for their own benefit. However, healthcare ID fraud is typically much more difficult to resolve than other types of identity theft. In part, this is due to the complexities of the healthcare industry.

Not only that, but unlike other forms of ID theft, healthcare identity theft can put patients’ health at risk. For example, cybercriminals will often sell stolen protected health information on the dark web. The person who buys the data likely does so because they are looking to obtain medical care in your name. Pretending to be you, they go to the doctor to receive treatment, giving the provider your insurance information.

When the doctor asks the fake patient for any relevant information, they will provide the doctor with their own information to ensure they receive the appropriate treatment. This can result in a situation where your medical record contains inaccurate information when you go to the doctor for treatment.

Victims of a data breach involving protected health information should be sure to take all necessary precautions, including reviewing their medical records and informing their providers. Patients who have questions about how to hold a company accountable for the theft of their information should reach out to a data breach lawyer for assistance.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Console and Associates, P.C.

Written by:

Console and Associates, P.C.
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Console and Associates, P.C. on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide