A ransomware attack at Practice Resources possibly exposed data on hundreds of thousands of consumers.
The Syracuse, N.Y.-based revenue-cycle management company was hit by a ransomware attack in April, according to a notice detailing the incident and submitted to the California Attorney General’s Office. The company said it engaged third-party experts to secure its systems and investigate the scope of the incident, and in June determined the patient data of its provider customers may have been breached.
The data breach possibly compromised information on 942,138 patients, according to a report the company submitted to the Health and Human Services Department’s Office for Civil Rights. Healthcare entities governed by the Health Insurance Portability and Accountability Act must disclose data breaches to the federal agency within 60 days of discovering them.
Hackers may have accessed or stolen data including patients’ names, addresses, dates of treatment, health plan numbers or medical record numbers, Practice Resources said. The company said its investigation has not found evidence suggesting information compromised in the data breach has been misused.
Practice Resources is notifying patients on behalf of more than two dozen hospitals and medical practices for which it provides services.
“Since the incident, we have implemented a series of cybersecurity enhancements and will soon roll out others,” the company said in its notice.
Practice Resources did not immediately respond to a request for comment.
The ransomware attack at Practice Resources marks the sixth-largest data breach reported to HHS this year, following cybersecurity incidents reported by Shields Health Care Group, Professional Finance Company and others. One-third of cyber threats targeting healthcare last quarter were ransomware attacks, according to a report from risk consulting firm Kroll.