Regional One Health, a Tennessee-based non-profit health system that owns and operates an acute care hospital, a long-term care hospital, physician practices and other health related entities, notified it had detected a data breach occurred at the end of 2022.
Specifically, Reventics, a revenue cycle management company and a business associate of Regional One Health, detected a cyber-intruder who accessed the company’s servers in December 2022. Upon learning of the breach, Reventics hired an international cybersecurity and forensic consulting firm to determine the extent of the incident. The firm confirmed the intruder accessed and exfiltrated certain personally identifiable information and protected health information protected under HIPAA and state privacy laws.
Healthcare organizations are increasingly targets of cyber criminals due to the high volume of sensitive data they hold. Data breaches are costly realities for healthcare organizations, and a single data breach can cost upwards of $10 million on average, according to a recent study. The fallout of a data breach can also extend beyond cost by disrupting care and operations of a company. Plus, patients can easily lose trust in their healthcare provider if their data is compromised in a data breach.
The information breached included:
- First, middle, and last name; patient address; date of birth; and social security number;
- Medical record number; patient account number; financial information; driver’s license and other government issued ID;
- Healthcare provider’s name and address; and health plan name and health plan ID
- Clinical data including diagnosis information, dates of services, treatment costs, prescription medications, the numeric codes used to identify services and procedures patients received from healthcare providers, and a brief description of these codes.
Reventics’ internal teams are still working with third-party cybersecurity consultants to fortify its systems in the aftermath of the attack.
“Reventics was able to quickly contain the cyber-intruder and continue operations uninterrupted,” the company said in a statement. “In response to this event, Reventics implemented new technical safeguards, including, without limitation, adopting new encryption controls, performing a new/updated security risk analysis, providing individuals with free credit and identity monitoring, revising its policies and procedures, and retraining workforce members.”
The company is mailing letters to those potentially impacted by the data breach whose information was accessed and stolen, including Regional One Health customers.