American healthcare management organization Gryphon Healthcare recently suffered a supply-chain cyberattack in which sensitive data on hundreds of thousands of patients was stolen.
The company confirmed the news in a breach notification filed with the Office of the Maine Attorney General, stating a company partner that Gryphon provides medical billing services for was breached some time before August 13, 2024.
The company did not name the partner that was breached, but it seems that the breach gave the attackers access to personal and protected health information that Gryphon maintained.
No evidence of misuse
“As a result of this third-party security incident, an unauthorized actor may have accessed certain files and data containing information relative to patients for whom Gryphon provides medical billing services,” the company said in the filing.
“The information may have included your name, date of birth, address, Social Security number, dates of service, diagnosis information, health insurance information, medical treatment information, prescription information, provider information and medical record number,” the filing continued.
The data stolen is more than enough to run highly sophisticated phishing attacks, identity theft operations, or even wire fraud. The total number of people affected by this incident stands at 393,358, Gryphon said, adding that it has seen no evidence suggesting that the data was misused. At this time, no threat actors have assumed responsibility for the attack.
Given the sensitivity of the information they handle, healthcare organizations are one of the most popular targets for ransomware attackers. These threat actors steal the information, and then threaten to release it to the public, unless a payment is made. Leaked patient data could result in loss of business, tarnished reputation, regulator fines, and even class-action lawsuits.
In fact, The Register reports Tulsa, OK-based Abington Cole and Ellery have already started appealing for victims of the data protection mess, and that is not the only class-action lawsuit against breached healthcare firms it is currently handling.