US healthcare org admits up to 400,000 people's personal info was snatched

A Houston-based services provider to healthcare organizations says a crook may have grabbed up to 400,000 people's information after the miscreant accessed the systems of one of its customers.

Gryphon Healthcare, which provides revenue cycle and management services, said patients' names, dates of birth, addresses, and Social Security numbers were all potentially accessed by a malicious attacker.

It said the miscreant may have got hold of patient medical data including diagnoses, details of medical treatments and providers, prescriptions, health insurance information, and medical record numbers.

Regardless, the company said: "Gryphon takes the privacy and security of all information within its possession very seriously."

It also offered the usual disclosure line that there's no reason to believe the data has been misused yet (which often means a company has hired someone to monitor the dark web for samples up for sale). All victims have been offered the standard 12 months of credit monitoring and identity protection services.

The details of these 393,358 individuals were being stored by an organization for which Gryphon provided medical billing services, the company said.

According to the company's website, such organizations could include hospitals, emergency departments and EMS providers, imaging centers, independent labs, the incredibly broad catch-all "healthcare facilities," ambulatory surgery centers, and private practices.

Gryphon detected the incident on August 13, finished its review of the impacted data on September 3, and began notifying those affected on Friday. According to its filing with Maine's Attorney General, the first time the data was accessed by an unauthorized person was on July 6.

"As soon as Gryphon discovered this incident, Gryphon took the steps described above and implemented measures to enhance security and minimize the risk of a similar incident occurring in the future," it said.

"The privacy and protection of personal and protected health information is a top priority for Gryphon. We deeply regret any inconvenience or concern this incident may cause."

Gryphon didn't specify the nature of the events that led to the exposure of the data, describing it only as a "recent data security incident."

However, it may have to reveal a little more in the coming months as lawyers wasted no time in working up a proposed class-action lawsuit.

Tulsa, OK-based Abington Cole and Ellery started appealing for victims of the data protection mess to come forward on Saturday, a day after letters to victims were mailed out.

Within a month of its ransomware disaster earlier this year, UnitedHealth – the parent company of Change Healthcare – was hit with at least six class-action lawsuits.

The total number of lawsuits it's currently handling is unknown but multiple law firms filed similar class-actions as recently as June. Per reports at the time, a total of 49 other lawsuits, separate from the class actions, were also centralized by a judicial panel and are due to be brought to UnitedHealth in Minnesota, where it is headquartered.

• RAC duo busted for stealing and selling crash victims' data
• US lawmakers seek answers on alleged Salt Typhoon breach of telecom giants
• Marriott settles for a piddly $52M after series of breaches affecting millions
• Happy birthday, Putin – you've been pwned

Class representatives in these cases range from the individual victims of the breach to healthcare partners and investors.

Of course, where there's blame, there's a claim. Class actions following medical data thefts – often the most sensitive of all the attacks we report here – are fairly common and can be relatively lucrative for claimants.

Med-Data, another revenue cycle management company that's also based in Texas, agreed in April this year a $7 million settlement with victims whose data was stolen in 2022. Each were able to claim up to $5,000 for their ordeal.

Even more recently, a $65 million settlement was agreed by Pennsylvania-based Lehigh Valley Health Network for its 2023 ALPHV/BlackCat breach. The lawyers who won the case, from the firm Saltz Mongeluzzi Bendesky, claimed the settlement was "the largest of its kind, on a per-patient basis, in a healthcare data breach ransomware case."

In an appalling indignity, the attacker even posted nude photos of cancer patients online. Those whose naked images were published were eligible for the highest tier of damages: a sum between $70,000 and $80,000. ®