Patient Records Stolen in a Cyberattack on the Medical Review Institute of America

The Medical Review Institute of America (MRoiA) encountered an alleged ransomware attack in November 2021 that resulted in the theft of sensitive patient data.

MRoiA is given access to patient information by HIPAA-covered entities due to the clinical peer evaluation process of medical care services. According to a data breach notice given to the Vermont attorney general, MRoiA stated it experienced a sophisticated cyberattack that was identified on November 9, 2021. Third-party cybersecurity specialists were right away called in to perform a forensic investigation to know the nature and scope of the cyberattack and to assist with its remediation work, which includes recovering its systems and functions.

On November 12, 2021, MRoiA found out that the attackers had exfiltrated sensitive data, such as patients’ electronic protected health information (ePHI). MRoiA didn’t mention in the breach notification letter if ransomware was used, but the attack looks like a double-extortion ransomware attack.

MRoiA mentioned on November 16, 2021, it had assurances that the stolen information was recovered and copies of the information were erased, which indicates the ransom demand was compensated, even though there’s no confirmation.

MRoiA stated the investigation into the attack is in progress and an assessment of the breached files was finished. People affected by the attack had their full names exposed and some of these data elements: Gender, home address, phone number, email address, birth date, Social Security number, medical record, diagnosis, treatment details, dates of service, lab test results, prescription data, provider name, medical account number (and other data kept in medical files, health insurance data, and claims details.

MRoiA mentioned that prior to the breach it had followed the HITRUST Common Security Framework (CSF), complied with the requirements of HIPAA and the HITECH Act, and had secured its systems to avoid unauthorized access. After the breach, more cybersecurity safety measures are being enforced. These consist of continuous checking of systems utilizing advanced threat hunting and detection application, employing extra authentication methods, hardening its backup environment, and improving employee cybersecurity training.

New servers were made from the ground up to make sure there will be no further unauthorized access. MRoiA, together with third-party cybersecurity professionals, is working to further enhance its security posture. Affected people were provided complimentary identity monitoring services.

The incident is not yet appearing on the HHS’ Office for Civil Rights breach portal, therefore it is presently unclear how many persons were impacted.