On August 4, 2022, Molecular Pathology Laboratory Network, Inc. confirmed that the company experienced a data breach after an unauthorized party gained access to sensitive consumer data contained on MPLN’s network. According to MPLN, the breach resulted in patients’ full names, Social Security numbers, financial account information, and contact information, as well as a significant amount of protected health information being compromised. Recently, MPLN sent out data breach letters to all affected parties, informing them of the incident and what they can do to protect themselves from identity theft and other frauds.
If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Molecular Pathology Laboratory Network data breach, please see our recent piece on the topic here.
What We Know About the Molecular Pathology Laboratory Network Data Breach
According to an official notice filed by the company, on December 17, 2021, Molecular Pathology Laboratory Network discovered what was, at the time, a potential cybersecurity threat after portions of the company’s network became inaccessible. In response, the company secured its systems and began working with third-party cybersecurity specialists to investigate the incident and determine what, if any, consumer data was affected.
The Molecular Pathology Laboratory Network investigation confirmed that an unauthorized party indeed had access to at least portions of its network. Further, the affected networks contained sensitive consumer information.
Upon discovering that sensitive consumer data was accessible to an unauthorized party, Molecular Pathology Laboratory Network then reviewed the affected files to determine what information was compromised and which consumers were impacted. Molecular Pathology Laboratory Network completed this review on July 6, 2022. While the breached information varies depending on the individual, it may include your name, address, date of birth, gender, phone number, email address, Social Security number, driver’s license number, financial account information, payment card information, diagnosis/treatment information, procedure type, provider name, prescription information, date of service, medical record number, patient account number, procedure code, health insurance information, and medical test results.
On August 4, 2022, Molecular Pathology Laboratory Network sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.
Founded in 1989, Molecular Pathology Laboratory Network, Inc. is a specialty healthcare provider based in Maryville, Tennessee. MPLN provides a range of diagnostic services, including molecular diagnostics, specialty anatomic pathology, flow cytometry, fluorescence in situ hybridization, and cytogenetic testing. Molecular Pathology Laboratory Network employs more than 108 people and generates approximately $19 million in annual revenue.
What Is Protected Health Information and Why Consumers Should Be Cautions After a Healthcare Data Breach
The Molecular Pathology Laboratory Network data breach affected multiple types of patient data, including addresses, Social Security numbers, insurance information and other medical information. As MLPN notes in the “Notice of Cyber Incident” posted on its website, some of the leaked data was “protected health information.”
Protected health information is data that relates to a patient’s past or current health condition or how a patient paid for their healthcare services. For example, the results of a blood test or MRI, insurance claims information, or a list of a patient’s past medical procedures could all be protected health information. However, compromised healthcare-related data is only considered protected if it contains one or more identifiers. An identifier is an additional piece of data included with the breached information that would allow someone to match the healthcare data to a specific patient. For example, identifiers include patients’ names, physical or email addresses, physical addresses, photographs, fingerprints, or Social Security numbers.
Because the MPLN breach resulted in “diagnosis/treatment information, procedure type, provider name, prescription information, date of service, medical record number, patient account number, procedure code, health insurance information, and medical test results,” as well as names, addresses and Social Security numbers, it appears that any leaked healthcare was “protected healthcare information.”
But what is the significance of compromised PHI? From a patient’s perspective, the fact that data is classified as protected health information means that, if anyone obtains this data, they have sufficient information to carry out healthcare identity fraud.
Healthcare identity theft is similar to other types of identity theft; however, it is generally more difficult to resolve and comes at a greater cost to patients. Not only that, but unlike other forms of identity theft, healthcare identity theft can put patients’ health at risk.
This is because, after a hacker obtains a patient’s protected health information, they will often post the data on the dark web in hopes of selling it to a third party. The third party who purchases the data does so to obtain medical care in the victim’s name. In doing so, when the doctor asks the “fake patient” for any relevant information, such as their current medications or past medical procedures, they will give the doctor their own information. This can result in a situation where a patient’s medical record contains inaccurate information when they go to the doctor for treatment.
Victims of a healthcare data breach should be sure to take all necessary precautions, including reviewing their medical records and informing their providers. Patients who have questions about how to hold a company accountable for the theft of their information should reach out to a data breach lawyer for assistance.