OnePoint Patient Care, based in Tempe, AZ, reported a data breach to the HHS’ Office for Civil Rights (OCR) on October 14, 2024, due to hacking that affected the protected health information (PHI) of 795,916 people. The same incident was reported to the Maine Attorney General on November 22, 2024, but the number of affected people was 1,741,152, including 99 Maine residents. OnePoint began mailing notification letters to the impacted persons on November 26, 2024.
No additional information about the data breach was included in the notification letter to the Maine Attorney General. The same information was given as the published post in its October 25, 2024 announcement since no further information regarding the cause of the breach has been discovered. The ransomware-as-a-service group Inc Ransom group, which uses double extortion tactics, stated that it was behind the attack. INC Ransom attacks networks, discovers sensitive information, extracts that information, and proceeds with file encryption. INC Ransom requires the payment of a ransom to release the decryption keys and to stop the exposure of the stolen information.
Though the attackers issued a ransom demand, OnePoint did not pay the ransom to recover files, and so OnePoint Patient Care was put on the group’s data leak website making the stolen information downloadable. The INC Ransom data leak site indicates that the OnePoint Patient Care post had 14,246 views by November 28, 2024. However, the number of times the information was downloaded is unknown.
OnePoint Patient Care mentioned in the notification letters that no actual or attempted data misuse has been identified; however, misuse of the stolen data is very likely. Therefore, all impacted persons should use the credit monitoring and identity theft services offered and be watchful against data misuse.
The October 25, 2024 post by OnePoint Patient Care mentioned that it detected suspicious activity within its computer system on August 8, 2024. It immediately took action to limit the breach and stop continuing unauthorized systems access.
Third-party cybersecurity specialists investigated the breach and confirmed on August 15, 2024 that the attackers accessed its systems from August 6 to August 8, 2024, and exfiltrated files without authorization. Some files included customer data such as names, medical record numbers, diagnoses, prescription details, and addresses. The Social Security numbers of some customers were also compromised.
The affected people received notification about the potential exposure of their PHI and were told to keep track of their credit reports, statements of account, and benefit statements for fraudulent transactions. Those whose Social Security numbers were compromised received free credit monitoring and identity theft protection services. OnePoint Patient Care expressed its commitment to protecting the privacy and security of personal information and is enforcing safety measures to prevent the same breaches down the road.