On July 29, 2022, Healthback Holdings, LLC confirmed that the company experienced a data breach after an unauthorized party gained access to sensitive patient data through compromised employee email accounts. According to Healthback, the breach resulted in the names, health insurance information, Social Security numbers, and clinical information of 21,114 patients being leaked. Recently, Healthback sent out data breach letters to all affected parties, informing them of the incident and what they can do to protect themselves from identity theft and other frauds.
If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Healthback Holdings data breach, please see our recent piece on the topic here.
Additional Details About the Healthback Holdings Data Breach
According to an official notice filed by the company, on June 1, 2022, Healthback learned that an unauthorized party had gained access to an employee’s email account. In response, Healthback retained the services of a cybersecurity firm to investigate the incident. This investigation revealed that several employee email accounts were compromised and that the unauthorized party was able to access the accounts between October 15, 2021 and May 15, 2022.
Upon discovering that sensitive consumer data was accessible to an unauthorized party, Healthback Holdings then reviewed the affected email accounts, including all emails and attachments, to determine what information was compromised and which consumers were impacted. While the breached information varies depending on the individual, it may include your name, health insurance information, Social Security number, and clinical information.
On July 29, 2022, Healthback Holdings sent out data breach letters to 21,114 individuals whose information was compromised as a result of the recent data security incident.
Healthback Holdings, LLC is a home healthcare company based in Chickasha, Oklahoma. The company arranges to have employees visit patients’ homes to provide needed services, including skilled nursing, physical therapy, advanced wound care, occupational therapy, and speech therapy. Healthback Holdings operates over 30 locations in Oklahoma and Missouri. Healthback Holdings employs more than 300 people and generates approximately $20 million in annual revenue.
Did the Healthback Breach Result in Patient’s Protected Health Information Being Compromised?
The Healthback Holdings data breach affected several different types of patient data, including Social Security numbers, insurance information and clinical information. While Healthback did not use the term “protected health information” to refer to the leaked data, based on the company’s statements, it appears that the compromised data consisted of protected health information.
Protected health information is any data that relates to a patient’s past or current health condition or how a patient paid for their healthcare. For example, the results of a CT scan, insurance claims information, or blood test results could both be considered protected health information. However, leaked healthcare-related data is only protected if it contains at least one identifier, which would enable someone to match the data up with a specific patient. For example, a few common identifiers are patients’ names, email addresses, physical addresses, photographs or Social Security numbers.
Because the Healthback breach resulted in “health insurance information,” “clinical information,” as well as patients’ names and Social Security numbers, it appears that any leaked healthcare data is considered “protected.”
But what does it mean that data is protected? From a patient’s perspective, the fact that data is classified as protected health information means that, should anyone obtain this data, they have sufficient information to carry out healthcare identity fraud.
Healthcare identity theft is similar to other types of identity theft; however, resolving a case of healthcare identity theft is often much more difficult and comes at a greater cost to patients. Not only that, but unlike financial identity theft, healthcare data breaches can put patients’ physical health at risk.
For example, after a breach results in protected health information being leaked, a hacker can sell a patient’s data to a third party who purchases the data to obtain medical care in the victim’s name. In doing so, the “fake patient” may provide doctors with their own medical information, which can get mixed up with the victim’s own medical information. For instance, a fake patient may give a treating physician a list of their own medications, allergies, or previous medical procedures. This can result in a patient’s medical record containing inaccurate information when they go to the doctor for treatment.
Those who have their protected health information leaked in a data breach should be sure to take all necessary precautions, including reviewing their medical records. Patients who have questions about how to hold a company accountable for the theft of their information should reach out to a data breach lawyer for assistance.
