Attacks on revenue cycle management (RCM) firms and debt collection firms often provide criminals with a wealth of personal and protected health information because successfully compromising one billing vendor may give access to the sensitive data of numerous covered entities or clients.
Horizon Healthcare RCM (“Horizon”) in Indiana is the latest RCM to disclose that it has been the victim of a breach.
In a substitute notice on its site and in its notification to the Maine Attorney General’s Office, Horizon reported that between December 25 and December 27, it suffered a ransomware attack with encryption and data exfiltration. They discovered the breach on December 27.
The notification to Maine, filed by Horizon Financial Management LLC, did not disclose the total number of people affected by the breach, only disclosing that 6 Maine residents were affected and providing a sample notification letter. DataBreaches was unable to download the sample notification letter, but Horizon’s website substitute notice described the data involved as varying from individual to individual:
The most common types of information were an internal Horizon number, customer number, or other patient identifier in conjunction with general health insurance claims processing information. In some circumstances, a Medical Record Number was identified with the claims processing information. In a small number of instances, non-address contact information, date of birth, Social Security number, driver’s license number, passport number, payment card information, or checking or financial account information were identified.
In their FAQ, Horizon expands on the above:
Horizon is sending notification letters to patients whose information was involved with this matter. For certain patients, there is insufficient information available to directly notify them. As referenced above, the types of information involved for patients that could not be directly identified was internal reference numbers and general claims processing information. If there are concerns, individuals may consider monitoring their health insurance for unexpected claims information. For a small group of patients (under 500) that have Social Security or government identification numbers, payment card numbers or checking/financial account information involved, they may consider referencing the free resources and guidance in the “Steps Individuals Can Take To Protect Personal Information” section below.
Horizon’s notice states that they have no indication of an individual experiencing verified identity theft or fraud as a result of this incident. That insertion of “verified” allows the possibility that they may have one or more reports but those incidents could not be definitively linked to the breach as the cause (a traceability issue).
Ransomware Attack
Of note, Horizon was more transparent than most entities that try to omit any mention of ransomware or a ransom. Horizon frankly disclosed a virus encrypted their files and their notice strongly hints that they paid a ransom demand to get data deleted: “Additionally, we arranged for the party responsible for this matter to delete the copied information.”
They did not disclose what ransomware threat actor or group was responsible. This incident has not shown up on any darkweb leak sites or forums, providing additional indication that Horizon paid the threat actors. Whether the criminals retained a copy of the data anyway and it will show up at some future date remains to be seen, but patients should not rely on any assurances from criminals about data deletion. Nor should they relax because the data cannot be found online at this time.
How Many Patients Were Affected?
As of publication, the total number of patients affected by this incident has not been disclosed, and there is no listing on HHS’s public breach tool.
Whether Horizon will be disclosing the breach to HHS on behalf of all of its affected clients or if the clients will be doing their own reporting to HHS is also unknown.
DataBreaches emailed Horizon to ask which threat actor was responsible for the attack, how many patients, total, were affected, and whether Horizon is making notifications to regulators or clients are. No reply was immediately available.
Horizon lists some of its more successful partnerships on its website:
- Ascension Health
- Adfinitas Health
- Bon Secours Health System
- Crook County Medical Services District
- Joseph Dotolo, MD, FACC
- Ensemble Health Partners
- Franciscan Alliance
- Guthrie Lourdes Hospital
- Methodist Hospitals
- Pinnacle Wound Care
- TeleCare Pharmacy
- The Podiatry Care Center
DataBreaches has not seen any breach reports by any of the above recently that would correspond to Horizon’s description of the incident, but has reached out to two of the entities to inquire. How many other partners not listed on the site might be affected is also unknown to DataBreaches.
This post will be updated if more information becomes available.