Medusind, a healthcare revenue cycle management provider, has disclosed a data breach that compromised the personal and health information of 360,934 people. The breach, which happened over a year ago, affirms the ongoing cybersecurity challenges in the healthcare sector.
The company, which operates 12 locations across the US and India and supports more than 6,000 healthcare providers, detected suspicious activity on its network on 29 December 2023. It immediately took its systems offline and enlisted a cybersecurity forensic firm to investigate.
In a breach notice sent to affected individuals, Medusind confirmed that a “cybercriminal may have obtained a copy of certain files containing personal information.” The exposed data includes:
- Health insurance and billing details
- Payment information (credit/debit card and bank account numbers)
- Medical history and prescription records
- Medical record numbers
- Social Security and taxpayer ID numbers
- Driver’s license and passport numbers
- Personal contact details such as address, email, and phone number
Company Response and Support
In response to the breach, Medusind has implemented enhanced security measures and is offering two years of complimentary identity monitoring services through Kroll, a global risk management firm. This service includes credit monitoring, fraud consultation, and identity theft restoration.
Those affected are encouraged to activate their identity monitoring services and stay vigilant by reviewing account statements and monitoring their credit reports for any unsanctioned activity.
The breach notice comes hot on the heels of the US Department of Health and Human Services’ (HHS) proposed updates to HIPAA regulations in late 2024. The aim of these updates is to improve the security of patients’ health information amid a surge in healthcare data breaches. Other notable incidents include breaches at Ascension, affecting 5.6 million individuals, and UnitedHealth, impacting 100 million.
Devastating Impacts
Emily Phelps, Director at Cyware, emphasized the urgency of securing the healthcare sector: “The healthcare sector remains one of the most critical industries to secure, given the sensitivity of the data it holds and the devastating impact breaches can have on individuals and organizations.”
She says effective threat intelligence management is vital to identifying and mitigating risks before they escalate. Operationalizing this intelligence can enable faster detection and response to potential breaches. “Moreover, fostering collective defense through trusted information-sharing partnerships ensures that organizations can work together to anticipate, address, and mitigate emerging threats.”
“If the company was using a programmable Universal Zero Trust Network access solution, they could more rapidly isolate key systems through automation and orchestration products in the SOC, reducing the blast radius of attacks,” adds Lawrence Pingree, Vice President at Dispersive. “While there is no silver bullet, defense in depth in security still applies, as does centralization risk.”
A Wake-Up Call for Healthcare
This incident shines a light on the urgent need for better cybersecurity measures in the healthcare sector. With highly sensitive data at stake, entities must prioritize threat intelligence, advanced security solutions, and industry-wide collaboration to combat increasingly sophisticated cyber threats.
Affected individuals seeking more information about the breach or identity monitoring services are advised to contact Kroll.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.