Modernizing Medicine (“ModMed”) is a healthcare technology firm that provides Electronic Health Records (EHR) and practice management software to many HIPAA-covered entities.
ModMed recently announced that on July 29, it discovered unauthorized activity in some of its computer servers. The servers in question contained data from some of ModMed’s podiatry clients, and the data was accessed and exfiltrated between July 9 and July 10. ModMed notified its impacted providers on September 19 and then notified affected patients on October 17.
According to its notification letter, the types of information included full names, addresses, dates of birth, Social Security numbers, phone numbers, email addresses, health insurance information, medical record numbers, patient account numbers, dates of service, providers, practice names, billing and diagnostic codes, prescription and medication information, as well as diagnosis and treatment information.
No criminal group has claimed responsibility for the July attack as of this publication. However, someone recently attempted to sell data from what they claimed was a second attack on ModMed.
Spurious Claims of a Second Breach?
On October 20, a listing appeared on the Breachst[.]rs forum. The listing by a user called @phanes claimed a partial EHR database they had acquired contained the following fields:
billidentifier encounterid patient_account_no patient_name bill_assignee_name dob dos_start dos_end primary_biller_name referring_provider_name pos procedure_code procedure_position dx1 dx2 dx3 modifier units_charged total_charges ins_balance first_billed_date last_billed_date current_insurance current_insurance_uid policy_id insurance_plan group_no primary_insurance primary_insurance_uid secondary_insurance secondary_insurance_uid sex task_type_description batch_number business_unit type bill_follow_up_date bill_assignee_id bill_status balance_type billing_provider_npi provider_npi billed_ claim_submission_format submission_type rcm_status age_days_from_last_billed_date age_days_from_claim_status_change coverage_type rcm_vendor url specialty practice_name pod claim_identifier claim_status date_modified latest_claim_status_effective_date claim_id scrub_rule_fail_message scrub_fail_date firm_id payer_name ar_age_last_touch ar_bill_note_author last_touch_date note_text
The listing also claimed they had 1,003 records.
That listing has since been removed, but the contents were also posted on a Telegram channel.
DataBreaches contacted phanes on Telegram to gather more information and request a data sample, which they provided.
After inspecting the data sample they gave us, DataBreaches emailed ModMed with some of the data and asked them to confirm whether they had been breached.
At the time DataBreaches first emailed ModMed, this site was unaware that ModMed had just disclosed the July breach. Once DataBreaches learned of their disclosure, DataBreaches went back to phanes to ask if their data was from that incident. They replied that the July attack was not their attack and that they had attacked ModMed on October 18.
DataBreaches emailed ModMed again, this time asking whether they had been the victim of a second attack on October 18.
The data sample phanes provided to DataBreaches did not contain all of the fields that ModMed had indicated were involved in the July breach. But the July breach reportedly affected an unspecified number of servers. Could phanes’s data have come from just one of those servers on a later date?
The Data Sample
The data sample provided to DataBreaches contained a significant amount of protected health information (PHI). DataBreaches noted personal, medical, and health insurance information. All of the records in the sample involved billing for patients’ visits to podiatry services. For the first two records that DataBreaches inspected:
Record 1:
A female patient whose first and last name and full date of birth were listed had an appointment on May 5, 2023, with a named provider. From the visit’s diagnostic code, DataBreaches could determine that she has Type 2 Diabetes with deformities of fingers and/or toes. From the treatment code, DataBreaches could determine that she was given a custom-fabricated, therapeutic shoe insert for people with diabetes that was made from a physical model of her foot. DataBreaches could also determine that she has Medicaid coverage in Indiana. We also saw billing information and dates.
A Google search found a woman with her exact name in Fort Wayne, Indiana. The named provider is a podiatrist in Fort Wayne, Indiana.
Record 2:
A male patient whose first and last name and full date of birth were listed had an appointment on May 5, 2023, with a named provider and named referring physician. DataBreaches could determine from the diagnostic code that the patient has Meniere’s disease and was a patient at Atreus Medical in South Carolina, which specializes in ENT. He had insurance with Blue Cross and Blue Shield of South Carolina, and his claim was reportedly denied improperly and resubmitted.
A Google search found a man with his name and age in South Carolina. We also saw a match for him in the National Public Data leak.
The sample data appeared to be real, but was this really a second breach, as phanes claimed, or was phanes trying to sell data from the July breach? There was nothing in the sample to prove that it was newer than the July breach.
ModMed has yet to reply to either of DataBreaches’ emailed inquiries.
DataBreaches noticed that the listing was subsequently removed from the forum where it had appeared. When asked about the removal, phanes claimed the moderators had removed it and banned his account based on false doxing by others. Their explanation did not sound particularly credible. When a forum bans a user, their name usually appears with a strikethrough to indicate banned status. Phanes’s account appeared to have been deleted altogether, with no trace left of them or the post.
There is no evidence, then, of any second attack. But there is evidence that data from as many as 1,500 podiatry patient records are in the hands of someone who is trying to sell them. Will other ModMed patient data show up for sale at some point? Possibly, and anyone who received a notification letter from ModMed should take steps to protect themselves from becoming victims of medical identity theft or fraud.