Med Associates has suffered a data breach that may have directed patient names and insurance information into the wrong hands. Hackers could use the data for medical fraud, the company said.
On its About page, Med Associates Inc. describes itself as a manufacturer, software developer, and supplier of products for behavioral psychology, pharmacology, neuroscience, and related fields of research.
On March 22, the company’s staff noticed “unusual activity” at an employee’s workstation, so Med Associates began investigating with its IT vendor and a third-party forensics firm.
“It was determined that the unauthorized party accessed the workstation and through that, may have had access to certain personal and protected information,” reads the press release.
The group said they found no evidence that any patient information was specifically accessed or used in any way, but if an attacker did obtain any information through the privileges assigned to that terminal, it would include patient names, dates of birth, addresses, dates of service, diagnosis codes, procedure codes and insurance information (including insurance ID Number). Med Associates acknowledges that a bad actor could use this data for fraud.
Times Union, a New York-based publication, reports impacted patients number 270,000.
The company has since implemented higher security standards and has increased staff training on data privacy and security. While the group doesn’t say it was human error that led to the breach, the wording certainly implies it.
To appease any angry customers, Med Associates is providing access to a year of credit monitoring and identity restoration services at no cost to patients. It has also sent out a notice telling all patients what they can do to protect against identity theft and fraud.
The Med Associates case is only the last in a string of data breaches targeting the healthcare industry – a very lucrative vertical for hackers seeking revenue through fraud or blackmail.
Recently, Missouri-based Black River Medical Center released a breach notice telling patients their personal data might have been compromised in a phishing scam that tricked one of its employees into handing over login credentials. It wouldn’t be completely out of the question for the same hacker, or group of hackers, to have committed both attacks.