In March 2022, Partnership HealthPlan of California (PHC) reported that third-party forensic professionals were requested to help reestablish the operation of its IT network right after a cyberattack. PHC has already affirmed in a breach notification sent to the Maine Attorney General the potential theft of the protected health information (PHI) of 854,913 current and previous health plan members. This case is one of the biggest healthcare data breaches announced to date this year.
Based on the notification, the cyberattack was discovered on or approximately March 19, 2022. PHC took steps immediately to limit the breach and launched an investigation to find out the nature and magnitude of the cyber attack. PHC stated the forensic investigation found proof that the unauthorized party responsible for the cyberattack had taken files from the PHC network on or about March 19.
The assessment of the compromised files is in progress, and although it is not yet affirmed which particular types of protected health information were included in the impacted files, the health plan is starting to send notification letters to affected people. PHC mentioned the types of information possibly stolen may consist of names, email addresses, addresses, dates of birth, Tribal ID numbers, driver’s license numbers, Social Security numbers, medical record numbers, health insurance details, diagnoses, treatment, and prescription data, other clinical details, and member online account usernames and passwords.
Although PHC failed to express the nature of the cyberattack in its breach notification letter, the Hive ransomware gang has professed to be behind the attack and claims it stole approximately 400 GB of files, a portion of which was temporarily uploaded to the group’s data leak website. PHC stated it is going over and improving its policies and procedures associated with data protection and security, and extra security steps and safeguards will be put in place to protect against this sort of event later on. PHC is covering the price of access to credit monitoring services for victims for two years. Recently, a class-action legal case was filed on behalf of persons impacted by the breach.