On September 2, 2022, Genesis Health Care, Inc. reported a data breach to the Montana Attorney General’s Office after the company discovered that an unauthorized party had access to its computer system for a period of nearly three months. Although the company did not mention the type of information leaked as a result of the incident, according to state reporting guidelines, a company should only report a violation if it involved consumer social security numbers, financial account information , protected health information or driver’s license numbers or state identification numbers. Therefore, while it cannot be confirmed, it would appear that the Radiant Logistics breach involved one or more of these data types. After confirming the breach and identifying all affected parties, Genesis Health Care began sending data breach letters to all affected parties.
If you have received a data breach notification, it is essential that you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Genesis Health Care data breach, check out our recent article on the subject. here.
What do we know about the Genesis Healthcare data breach
The data breach information from Genesis Health Care, Inc. comes from the Montana Attorney General’s Office. According to this source, around April 11, 2022, Genesis detected suspicious activity within its computer network. In response, the company secured its computer systems, reported the incident to law enforcement, and then contacted an external cybersecurity company to assist in the company’s investigation.
On June 9, 2022, the Genesis investigation confirmed that an unauthorized party had gained access to the company’s network on January 19, 2022, which lasted until the company discovered the intrusion on April 11, 2022. The company’s investigation also revealed that some of the files accessed by the unauthorized party contained sensitive consumer information.
After discovering that sensitive consumer data was accessible to an unauthorized party, Genesis Health Care began the process of reviewing all affected files to determine which information had been compromised and which consumers had been affected by the incident. Although the notice filed with Montana AG does not describe the specific types of data leaked, based on state reporting requirements, the violation is likely to have impacted social security numbers; protected health information; financial account information; or driver’s license numbers or state identification numbers.
On September 2, 2022, Genesis Health Care sent data breach letters to all individuals whose information was compromised following the recent data security incident.
Learn more about Genesis Health Care, Inc.
Founded in 1985, Genesis Health Care, Inc. is a healthcare holding company headquartered in Kennett Square, Pennsylvania. Specifically, Genesis Health Care is a holding company with branches providing services to qualified nursing facilities and assisted / senior living communities. The company also provides contract rehabilitation therapy, respiratory therapy, medical services, personnel services and responsible care. Genesis operates nearly 250 qualified nursing centers and seniors’ communities in 22 states. Company subsidiaries also provide rehabilitation therapies to approximately 1,100 locations in 43 states and the District of Columbia. Genesis Healthcare employs more than 44,000 people and generates approximately $ 3 billion in annual revenue.
Did the Genesis health care breach involve protected health information?
We know that the Genesis Health Care data breach affected sensitive patient information. However, as the company has not publicly released the specific types of data that were compromised as a result of the incident, we cannot confirm the extent of the leaked information. That said, based on the nature of the company’s healthcare business, it is possible that the breach compromised patients’ protected health information.
Protected health information is all health data relating to a patient’s past or current health condition or how a patient pays or plans to pay for health care. For example, the results of a blood test or CT scan, details on an insurance claim, or a list of a patient’s current medications may be considered protected health information.
However, health care data is not always considered protected. Under HIPAA, health care data is PHI if it contains one or more identifiers. Therefore, if the test results were leaked but did not contain an identifier, there would be no way for anyone to link those results to the patient and the data would not be considered PHI.
An identifier is additional information included with the breached data that allows someone to match the data to a specific patient. Common identifiers include patient names, email addresses, physical addresses, photographs, fingerprints or social security numbers. Therefore, from the patient’s point of view, the fact that the data is considered protected health information means that anyone who comes into possession of the leaked data will have enough information to commit health identity fraud.
Healthcare identity theft is similar to other types of identity theft in that it involves an unauthorized person using someone else’s data for their own benefit. However, health identification fraud is typically much more difficult to resolve than other types of identity theft. In part, this is due to the complexity of the healthcare sector.
Not only that, but unlike other forms of identity theft, healthcare identity theft can put patients’ health at risk. For example, cybercriminals often sell stolen protected health information on the dark web. The person buying the data probably does so because they are trying to get medical treatment on your behalf. Pretending to be you, they go to the doctor for treatment, providing the provider with the insurance information.
When the doctor asks the fake patient for any pertinent information, he will provide the doctor with their information to make sure he receives the appropriate treatment. This can result in a situation where your medical record contains inaccurate information when you go to the doctor for treatment.
Victims of a data breach involving protected health information should ensure that they take all necessary precautions, including reviewing their medical records and informing their providers. Patients who have questions about how to hold a company accountable for the theft of their information should turn to a data breach lawyer for assistance.