Patient Information Stolen During a Cyberattack on the Medical Review Institute of America

The Medical Review Institute of America (MRoiA) encountered a supposed ransomware attack last November 2021 that led to the stealing of sensitive patient information.

MRoiA is granted access to patient data by HIPAA-covered entities because of the clinical peer evaluation process of healthcare providers. Based on a data breach notice furnished to the Vermont attorney general, MRoiA stated it experienced a sophisticated cyberattack that was discovered on November 9, 2021. Third-party cybersecurity specialists were quickly involved to do a forensic investigation to find out the nature and extent of the attack and to help with its remediation initiatives, which include re-establishing its systems and procedures.

On November 12, 2021, MRoiA learned that the cyber attackers had exfiltrated sensitive information, such as patients’ electronic protected health information (ePHI). MRoiA failed to say in the breach notification letter whether or not ransomware was employed, though the attack has the distinctions of a double-extortion ransomware attack.

MRoiA mentioned on November 16, 2021, it got word that the stolen data were reclaimed and copies of the files were wiped out, which implies the ransom demand was settled, though there’s no affirmation.

MRoiA stated that the inquiry into the attack is continuing and an assessment of the exposed files was done. Persons affected by the attack had their complete names compromised aside from at least one of the following information: Sex, residence address, telephone number, email address, date of birth, Social Security number, medical background, diagnosis, treatment data, dates of service, laboratory test data, medication details, provider name, medical account number (and other information saved in medical records, medical insurance details, and claims data.

MRoiA mentioned that before the breach it had implemented the HITRUST Common Security Framework (CSF), complied with the demands of HITECH and HIPAA Act, and had protected its systems to avert unauthorized access. Because of the breach, extra cybersecurity steps are being put in place. These comprise regular tracking of systems employing advanced threat hunting and detection software programs, using supplemental authentication processes, fortifying its backup system, and enhancing employee cybersecurity training.

New servers were designed from scratch to make certain there will be no more unauthorized access. MRoiA, along with third-party cybersecurity professionals, is working to further strengthen its security posture. Impacted people were given free identity monitoring services.

The breach is not yet showing up on the HHS’ Office for Civil Rights breach website, and so it is at this time uncertain how many persons were impacted.