AllyAlign Health (AAH), a Medicare Advantage special needs plan administrator, recently notified 76,348 members and providers of an attempted ransomware attack. But how successful were the threat actors? And what could the Virginia firm figure out and what couldn’t they figure out based on their investigation?
According to AAH’s notification letter, the attack occurred on November 13, and was detected on November 14. AAH considered the incident to be “discovered” on February 2.
In writing to insured members, David Crocker, AAH’s CIO, wrote that AAH had found no evidence that their information had been specifically accessed or acquired for misuse. But then there’s this:
However, due to the compromise of our network, we are notifying you of this incident. It is possible that the following information, if maintained by AAH, could have been exposed to the unauthorized third party: first and last name, mailing address, date of birth, social security number, Medicare Health Insurance Claim Number (HICN), Medicare Beneficiary Identifier (MBI), Medicaid recipient identification number (if applicable), medical claims history, health insurance policy number, and other medical information.
“if maintained by AAH”? “If?”
Why don’t they tell people exactly what information AAH did maintain on them? Isn’t that part of the point of notification under HIPAA and HITECH? The notification letter to providers had a similar structure but different data types:
first and last name, mailing address, date of birth, social security number, Council for Affordable Quality Healthcare (CAQH) credentialing information (if applicable).
So providers may or may not have had their SSN exposed and the entity isn’t even telling them whether that data was on file for them.
AAH is offering those notified credit monitoring and identity theft protection services through IDX. Maybe if people call IDX, IDX can tell them exactly what types of information AAH had on file that was potentially exposed to the threat actor(s)?
DataBreaches.net sent some questions to AllyAlign yesterday but has received no response by the time of this publication. The incident does not appear to be on HHS’s public breach tool at this time.
Update 2:47 pm. The incident now appears on HHS’s breach tool as impacting 33,932 health plan members. Given the number they reported to a state attorney general, the difference may represent the number of providers notified.