Remedy Medical Group is a pain management specialty practice in California. Their web site indicates that they are consultants to some professional sports teams in their area. Did a breach involving some of their patients’ data also impact any prominent athletes who might receive extortion demands? At this point, there is no indication of any of that, but this breach is a reminder yet again that a business associate breach may potentially have significant impact on a covered entity. In this case, the business associate, Administrative Advantage, mentions healthcare “providers” (plural) in their press release, so Remedy Medical Group appears to be just one of a number of covered entities. Whether we will see reports on any other covered entities remains to be seen, as some entities may have had fewer than 500 patients impacted.
From Administrative Advantage’s press release:
SAVANNAH, Ga., April 5, 2021 /PRNewswire/ –Administrative Advantage (“AA”) provides billing support services to certain healthcare providers. AA is providing this notice on behalf of its customer, Remedy Medical Group, a medical practice with offices in San Mateo, San Francisco and Oakland, California. In July 2020,AA became aware of unusual activity involving a single employee email account. AA immediately began an investigation and worked quickly to assess the security of the email account. With the assistance of third-party computer specialists, on August 18, 2020, AA’s investigation determined that an unauthorized person or persons may have accessed the email account between June 23, 2020, and July 9, 2020. Because AA could not conclusively rule out unauthorized access to information in the account, in an abundance of caution, AA reviewed the contents of the email account to determine whether sensitive information was present at the time of the incident. Through this review AA determined that certain information it received from healthcare providers was present in the relevant account at the time of the incident. To date, AA is unaware of any actual or attempted misuse of information as a result of this incident. AA’s review determined that, while the information varies by individual, name, Social Security number, financial account information, driver’s license and/or state identification number, credit and/or debit card number, expiration date, and CVV number, date of birth, passport number, electronic signature information, username and password information, medical record number, Medicare number, Medicaid number, treatment location, diagnosis, health insurance information, lab results, and other medical treatment were present in the impacted email account at the time of the event.
Read the full press release.