Breach Notification , Cybercrime , Fraud Management & Cybercrime
4 Million People Affected by Debt Collector Data Theft Hack
Stolen Data Includes Patient Medical Information, According to Breach NotificationA Pennsylvania-based debt collector originally told regulators in April that a hacker compromised the personal identifiable information of 1.9 million people. Now the company says the data breach affected more than 4 million people and included patient medical information.
See Also: The Healthcare CISO’s Guide to Medical IoT Security
Financial Business and Consumer Solutions in an updated breach report to Maine's attorney general on Monday said that nearly 7,800 Maine residents are among the more than 4 million individuals now determined to be affected by a hacking incident the company first reported on April 26 (see: Breach Roundup: REvil Hacker Gets Nearly 14-Year Sentence).
FBCS has since filed four updated breach reports to Maine's regulators for the same incident, and the number of affected individuals has risen each time. The latest update - including a sample breach notice letter FBCS submitted on Monday to Maine's attorney general - reported for the first time that patient medical information was among the data compromised.
FBCS reported the hacking incident to the U.S. Department of Health and Human Services' Office for Civil Rights on June 4 as a HIPAA breach affecting about 209,000 individuals.
In its latest breach report to Maine's attorney general, FBCS said that on Feb. 26, it discovered unauthorized access to certain systems in its network. The incident did not affect computer systems outside of FBCS’s network, the company said.
FBCS's investigation into the incident determined that its IT environment was subject to unauthorized access between Feb. 14 and 26, during which time the unauthorized actor had the ability to view or acquire certain information on the FBCS network.
Information that may have been accessed or exfiltrated during the incident includes individuals' name, Social Security number, birthdate, account information and medical information.
Affected individuals are being offered 12 months of identity and credit monitoring.
FBCS did not immediately respond to Information Security Media Group's request for additional details, including the type of medical information that was compromised in the breach and why the number of affected individuals keeps climbing.
Debt Collector Risks
FBCS is not the first debt collector to report a major breach affecting millions of individuals and involving compromise of medical information.
The largest such incident - affecting more than 22 million individuals - was a hack first reported in 2019 by American Medical Collection Agency, whose clients included some of the biggest medical laboratories in the U.S.
AMCA and its parent company, Retrieval-Masters Creditors Bureau, ended up facing enforcement actions from several state attorneys generals and multiple proposed class action lawsuits related to the incident. The company eventually filed bankruptcy due to costs associated with the breach (see: AMCA Bankruptcy Filing in Wake of Breach Reveals Impact).
Debt collectors that experience hacks and other breaches - and whose customers include healthcare firms - can present a host of potential data security and regulatory compliance issues for themselves and their clients, some experts said.
"A debt collector is considered a business associate under HIPAA when collecting debt related to medical services or goods on behalf of a covered entity," said regulatory attorney Rachel Rose.
Debt collectors pose the same level of risk as any covered entity, business associate or subcontractor that handles protected health information and fails to comply with requirements of the HIPAA privacy, security and breach notification rules, she said.
"This is because they have the same obligations as other business associates and in the event of a breach, it could open a back door directly to the covered entity's IT infrastructure. It depends on how the debt collection agency is exchanging sensitive information with the covered entity."
"What is imperative is to ensure that a thorough risk analysis is done that takes into account the various routes of ingress and egress of the PHI," said Rose, who is not involved in the FBCS or AMCA incidents but who has represented other medical debt collectors.
The FBCS breach underscores the importance of having continued training, comprehensive compliance programs and adequate technical, administrative and physical safeguards in place, Rose said. That includes implementation of best practices recommended by the National Institute of Standards and Technologies, Section 405(d) of the 2015 Cybersecurity Act and the HIPAA Security Rule, she said.