Reventics LLC is a business associate in Colorado offering revenue cycle management, clinical documentation, and quality improvement services. On or about December 15, 2022, Reventics detected some anomalies in its systems and discovered an intrusion and encryption of its files. Some of those files contained protected health information (PHI) of patients. On December 27, an investigation by external consultants confirmed that PHI had been accessed and exfiltrated.
The information that may have been compromised potentially included first and last name, date of birth, healthcare provider’s name and address, health plan name, the numeric codes used to identify services and procedures patients received, and descriptions of these codes.
In a notification letter submitted to the Montana Attorney General’s Office on February 10, Reventics notes, “At this time, we have no confirming evidence this information has been used by the cyber-intruder.”
On February 13, the Royal ransomware group added Reventics to their dark web leak site, leaking more than 16 GB of files. Royal claims those files are only 10% of what they exfiltrated. DataBreaches has not yet been able to examine the leaked data because (perhaps happily for its victims) Royal’s server is abysmally slow.
Reventics does not appear to have updated its website notice to address the dumping of any data on the internet. It is offering those affected services through IDX. Reventic’s website notice, which is not quite identical to its notification template sent to Montana, also states:
In response to this event, Reventics implemented new technical safeguards, including, without limitation, adopting new encryption controls, performed a new/updated security risk analysis, is providing individuals with free credit and identity monitoring, revised its policies and procedures, and retrained workforce members.
The total number of patients being notified was not revealed in their notices, and their report to HHS has not yet appeared on HHS’s website or state websites that report numbers. The only number currently available reveals that Reventics informed the Montana Attorney General that 1,027 Montana residents were being notified.
This post will be updated after the total number of patients is available. There is currently no list of affected clients.
Update: Reventics reported the incident to HHS on February 10 as affecting 250,918 patients. HHS just added the listing on February 23. DataBreaches also notes that the notice on Reventics’ website mentions more data elements that may have been involved than its February notice to Montana, and makes no mention of any ransomware or data leak. The data elements mentioned in their website notice are: first and last name, date of birth, Social Security number, financial information, healthcare provider’s name and address, health plan name, clinical data, numeric codes used to identify services and procedures, and brief descriptions of the codes.
