A revenue cycle management company has notified the Maine Attorney General that it experienced a data breach exposing the protected health information (PHI) of almost 400,000 patients. According to its website, Gryphon Healthcare provides revenue cycle management, coding and compliance, and consulting services to hospitals, physician groups, EMS, imaging centers, and ambulatory surgery centers.

Gryphon’s breach notice explains that the data security incident originated at one of Gryphon’s “partners” for whom Gryphon provides medical billing services. While the term “partner” might imply another (subcontractor) business associate, it appears to refer to a healthcare provider customer based on the description of what happened. Gryphon did not identify the organization specifically.

Federal regulators at the Office for Civil Rights (OCR) will determine the identity of the affected company in its breach investigation. Depending on what OCR finds, that company may also be scrutinized for HIPAA compliance. OCR investigates all healthcare data breaches affecting 500 or more individuals.

Gryphon Discovers and Investigates the Hack

Gryphon first became aware of the incident on August 13, 2024. Hackers obtained access to Gryphon records through connections between Gryphon and its partner.

The breach notice explains that the incident

“resulted in unauthorized access to certain personal and protected health information maintained by Gryphon. As a result of this third-party security incident, an unauthorized actor may have accessed certain files and data containing information relative to patients for whom Gryphon provides medical billing services.”

After discovering the incident, Gryphon began investigating to evaluate the extent of the breach and identify the affected patients.  They finished their investigation by September 3 and sent breach notices to the affected patients on October 11, 2024.

Gryphon’s investigation revealed that the hackers accessed names, dates of birth, addresses, Social Security numbers, dates of service, diagnosis information, health insurance information, medical treatment information, prescription information, provider information, and medical record numbers.

Although Gryphon notified the state of Maine, their breach report has yet to appear on the Office for Civil Rights breach portal.

Revenue Cycle Management is a Business Associate Function

As a third-party vendor to healthcare providers, Gryphon is a HIPAA business associate. Like other business associates, Gryphon maintains and transmits vast amounts of patient data for multiple healthcare provider (covered entity) customers. A data breach hack at a business associate is much larger than an attack on one covered entity when the hacker can access multiple files in one place.

Gryphon May Face Class Action Lawsuits

In addition to an OCR investigation, Gryphon will likely need to defend class action lawsuits.

Law firms are already looking for potential claimants to join lawsuits against Gryphon. At least four law firms, plus the website classaction.org, have advertised that they are looking for patients affected by the hack, inviting them to fill out forms to join lawsuits.

Although the lawsuits are not brought under HIPAA, which doesn’t permit private rights of action in court, they will likely be based on state privacy and consumer protection laws or negligence claims. Although not “HIPAA lawsuits” per se, the plaintiffs’ lawyers will use HIPAA standards in court as a measure of responsible conduct. If Gryphon failed to follow HIPAA, train its workforce, and use strong cybersecurity defenses required by the Security Rule, the lawyers will use those facts to prove negligence.

HIPAA Compliance Prevents Breaches and Helps Defend Lawsuits

The best defense against healthcare data breaches is a robust HIPAA compliance program that follows the Security Rule.

The four pillars of HIPAA compliance are:

1. Current HIPAA Policies and Procedures
2. HIPAA Risk Analysis and Risk Management
3. Workforce Training
4. Teamwork

Evaluate how you’re doing with each pillar and refresh your program.

Even if you have policies and training, you may need to refresh your risk analysis and review the risk management plan. Risk analysis must be done at least annually, but risk management is a year-round responsibility.

Compliance is a good business practice because it performs multiple functions. Protecting patient privacy and security maintains trust with customers and their patients, helping preserve your reputation and goodwill. Compliance helps prevent breaches that lead to expensive governmental investigations. Finally, if the worst happens, and a large breach occurs, leading to a class action lawsuit, your compliance efforts help defend against negligence claims and reduce litigation costs.