Medical Billing Vendor Sued Over Health Data Leak ‘Gold Mine’

Cassandre Coyer reports:

Health-care billing company Medical Billing Specialists Inc. didn’t appropriately monitor its computer systems, failing to notice a data breach exposing swaths of its clients’ patient data, a proposed class action said.

The provider didn’t follow its contractual requirements with medical providers, nor “industry standards, common law, and representations” it made about its security practices, according to a complaint filed Tuesday in the US District Court for the District of Massachusetts. MBS’ inadequate cybersecurity posture enabled a February 2024 breach that revealed patients’ data including names, addresses, dates of birth, Social Security numbers, driver’s license numbers, medical diagnoses and treatments, and more.

Read more at Bloomberg Law (sub. req.)

According to DataBreaches’ notes on the incident, Medical Billing Specialists (MBS Select) experienced a cyberattack on February 17, 2024. On March 6, the Akira ransomware gang added MBS to their dark web leak site with a threat, “Over 120GB of data will be uploaded here on our blog soon. You will find detailed employees and patients information – addresses, DOB, emails, background checks, phones, correspondence with clients, NDAs and so on.”

On December 15, 2024, MBS posted a notice on their site. The notice stated, in part:

Again, we found no evidence that patient information has been specifically misused. However, the following information could have been acquired and disclosed by an unauthorized third party: first name, last name, address, date of birth, Social Security number, driver license’s number, medical record number, patient ID number, Medicare/Medicaid number, health insurance information, financial account information or credit and debit card numbers, and certain health information. Notably, the types of information affected were different for each individual, and not every individual had all the above listed elements exposed.