Medical Associates of the Lehigh Valley Reports Data Breach Affecting the SSNs and PHI of 75,628 Individuals

Richard Console, Jr.
Console and Associates, P.C.
Contact
LinkedIn
Facebook
X
Send
Embed

On September 9, 2022, Medical Associates of the Lehigh Valley (“MATLV”) filed notice of a data breach with the U.S. Department of Health and Human Services Office for Civil Rights following a ransomware attack in which an unauthorized party was able to gain access to sensitive consumer data contained on MATLV’s network. According to MATLV, the breach resulted in the names, addresses, email addresses, dates of birth, Social Security numbers, driver’s license numbers, state ID numbers, health insurance providers, medical diagnoses, medical treatment information, medications, and lab results of certain patients being compromised. Recently, MATLV sent out data breach letters to the 75,628 patients affected by the breach, informing them of the incident and what they can do to protect themselves from identity theft and other frauds.

What We Know About the Medical Associates of Lehigh Valley Data Breach

According to an official notice filed by the company, on July 3, 2022, Medical Associates of the Lehigh Valley learned that the organization had been targeted in a ransomware attack. After learning of the incident, MATLV took the necessary steps to secure its IT system and then began working with third-party forensic specialists in hopes of learning more about the nature and extent of the breach.

The MATLV investigation confirmed that an unauthorized party had gained access to certain files containing sensitive patient information.

Upon discovering that patient data was accessible to an unauthorized party, Medical Associates of Lehigh Valley then reviewed the affected files to determine what information was compromised and which consumers were impacted. While the breached information varies depending on the individual, it may include your name, address, email address, date of birth, Social Security number, driver’s license number, state ID number, health insurance providers, medical diagnoses, medical treatment information, medications, and lab results.

On September 9, 2022, Medical Associates of Lehigh Valley sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident. Based on the company’s filing with the U.S. Department of Health and Human Services Office for Civil Rights, it appears that these letters were sent to 75,628 individuals.

Medical Associates of the Lehigh Valley is an independent healthcare provider based in Allentown, Pennsylvania. MATLV is a physician-owned professional corporation with more than 25 locations throughout Lehigh County. The practice group primarily focuses on primary care, family medicine and pediatrics. The group provides physicians with administrative benefits that enable them to run their practices more smoothly, and provides patients with a consistent level of care. Medical Associates of Lehigh Valley employs more than 136 people and generates approximately $19 million in annual revenue.

The Important of Protecting Your Protected Health Information

The Medical Associates of the Lehigh Valley data breach leaked a significant amount of patient information. The breached data included not only Social Security numbers, but also patients’ health insurance providers, medical diagnoses, medical treatment information, medications, and lab results. In all likelihood, under HIPAA, this data was considered “protected health information.”

MATLV is not the only healthcare provider who has recently been the target of a cyberattack. Healthcare data breaches have become extreme. In fact, in 2022 alone, these breaches have affected well over 2 million patients. As cybercriminals and other bad actors continue to focus their efforts on obtaining patients’ protected health information, it is incredibly important for victims of a healthcare data breach to understand what is at risk and what their options are.

The first step to protecting yourself is to understand what is meant by “protected health information.” Protected health information, or PHI for short, is demographic information, test and laboratory results, medical history information, insurance information, mental health information and other data that healthcare providers collect to identify a patient and use to determine how to properly treat a patient. The collection and use of PHI are governed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

However, not all information related to your healthcare is protected. Only data that contains at least one identifier is considered PHI. Under HIPAA, there are 18 identifiers, including:

  • Name;

  • Address (anything smaller than a state);

  • Social security number;

  • Dates (more specific than just a year), such as a patient’s birthdate, admission date, etc.;

  • Email address;

  • Phone number;

  • Fax number;

  • Medical record number;

  • Health plan beneficiary number;

  • Account number;

  • Certificate or license number;

  • Vehicle identifiers, such as serial numbers and license plate numbers;

  • Device identifiers and serial numbers;

  • Web URL;

  • Internet protocol (IP) address;

  • Biometric IDs, such as a fingerprint or voice print;

  • Full-face photographs and other photos of identifying characteristics; and

  • Any other unique identifying characteristic.

Of course, this information is very personal and, on this basis alone, healthcare data breaches are very concerning. However, aside from the privacy risks, they also raise the risk of physical and financial harm to patients. For example, hackers who obtain a patient’s protected health information may attempt to obtain medical care in the victim’s name or sell the information to another party who plans on doing the same. This not only leaves the victim responsible for the bill but can also lead to misleading and incorrect information being added to their medical records.

Those who believe their protected health information was compromised in a data breach should reach out to an experienced data breach lawyer to discuss their options.

If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Medical Associates of Lehigh Valley data breach, please see our recent piece on the topic here.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Console and Associates, P.C.

Written by:

Console and Associates, P.C.
Console and Associates, P.C.
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Console and Associates, P.C. on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide