Prominence Health Plan and Ohio Medicaid Data Breach

The Nevada health insurance provider Prominence Health Plan has reported it experienced a security breach on November 30, 2020 resulting in the potential acquisition of the protected health information (PHI) of some plan members by hackers. Prominence Health Plan discovered the data breach on April 22, 2021 and took immediate action to avoid continuing unauthorized access, which includes altering the credentials utilized by the attacker to obtain network access.

Although Prominence Health Plan hasn’t established whether or not this was a ransomware attack, all impacted plan member information has been recovered from backup copies. The breach affected the audio recordings of telephone calls to the Prominence call center in addition to PDF files that had provider claim forms and letters to patients informing them regarding claim approvals and denials.

The audio files usually contained complete names, birth dates, and member ID numbers, whilst the PDF files had a member’s name, birth date, sex, postal address, member ID number, and claim code. The files contained the PHI of people who were members from 2010 to 2020. Roughly 45,000 people were impacted.

There were no reported instances of PHI misuse and the data in the files wasn’t in an easily usable file format, which restricts the possibilities for misuse. Prominence is doing online tracking for any indications of attempted improper use of the stolen information and impacted people were notified and given free credit monitoring and identity theft protection services. Extra security actions are being enforced to stop any more data breaches.

Ohio Medicaid

Ohio Medicaid has reported that its information manager, Maximus, has encountered a data breach wherein the personal information of Ohio Medicaid providers was compromised.

An unauthorized third party accessed the software utilized by Maximus from May 17 to May 19, 2021. Upon finding out about the breach, Maximus took down the application to stop any more unauthorized access. A top-rated third-party cybersecurity company helped in the conduct of the investigation.

The cybersecurity company stated that the breach was limited to the software. The servers, programs, or systems were not affected. There is no proof found that suggests the misuse of any data inside the application, such as Ohio credentialing and licensing information. Maximus also mentioned that the breach did not affect the people covered by Medicaid.

Maximus explained the speedy discovery of the breach restricted likely negative effects; nonetheless, since there is a probability of data theft, all people impacted were informed on June 18, 2021 and were provided free credit monitoring services for two years.