Practice Resources recently notified 942,138 patients that their data was accessed or stolen ahead of a ransomware attack deployed in April. The New York-based vendor provides billing and professional services to a range of healthcare entities.
Under the Health Insurance Portability and Accountability Act, covered entities and business associates are required to inform patients within 60 days of discovering a breach of protected health data and without undue delay.
The ransomware attack was launched against Practice Resources on April 12, prompting the vendor to secure the systems and investigate the incident. They found personally identifiable information and health data was likely subjected to access and/or acquisition. The exposed data included names, contact details, dates of treatment, and health plan or medical record numbers.
All impacted patients will receive up to two years of free credit monitoring and related services. Practice Resources has since enhanced its existing cybersecurity and intends to implement additional measures.
