More than 850,000 Persons Impacted by Cyberattack on Partnership Health Plan of California

In March 2022, Partnership HealthPlan of California (PHC) stated that third-party forensic experts were involved to help recover the service of its IT solutions subsequent to a cyberattack. PHC has stated in a breach notice routed to the Maine Attorney General the potential theft of the protected health information (PHI) of 854,913 present and past health plan members. This occurrence is one of the major healthcare data breaches documented thus far this year.

In accordance with the notification, the cyberattack was noticed on or about March 19, 2022. PHC took steps right away to control the breach and started an investigation to identify the nature and extent of the attack. PHC mentioned the forensic investigation discovered information that the unauthorized party associated with the cyberattack had extracted files from the PHC system on or about March 19.

The analysis of the compromised files is continuing, and though it is not yet established which specified types of PHI were included in the impacted files, the health plan is beginning to mail notification letters to affected people. PHC stated the types of data likely stolen may comprise names, addresses, email addresses, birth dates, driver’s license numbers, Tribal ID numbers, Social Security numbers, medical record numbers, medical insurance data, diagnoses, treatment and prescribed medication details, other health data, and member website usernames and passwords.

Though PHC didn’t point out the cause of the cyberattack in its breach notice, the Hive ransomware group has owned responsibility for the attack and states it stole approximately 400 GB of files, a part of which was briefly published to the group’s data leak webpage. PHC mentioned it is examining and bettering its guidelines and procedures in relation to data privacy and security, and supplemental security procedures and safeguards will be enforced to protect against this kind of event down the road. PHC is paying the fee of access to credit monitoring services for impacted individuals for 2 years. Lately, a class-action lawsuit was filed for the sake of those impacted by the breach.