Nearly 20,000 renal patients’ protected health information (PHI) has been exposed in a ransomware attack against American Renal Associates, now known as Innovative Renal Care (IRC). IRC is one of the largest dialysis service providers in the United States, with over 230 locations and partnerships with nephrologists and health systems nationwide.
SuspectFile first reported the data breach. Although IRC’s website is silent about the breach, and it has yet to appear on the HHS data breach portal, SuspectFile notes that ransomware group Medusa published the stolen patient data on March 2 on the dark web.
Class Action Lawsuits
Lawsuits are already underway. A plaintiff’s law firm, Potter Handy, LLP, is advertising to gather individuals to join a class action lawsuit, with promises of help on the case:
“Don’t wait until it’s too late to protect your rights and seek compensation. Contact us today by filling out the form on this webpage for a free consultation and to learn more about how we can help you with your case.”
According to SuspectFile, the types of information compromised include:
- Name and surname of the patient
- Date of birth
- Gender
- Marital status
- Language
- Race
- First Ever Dialysis Date
- Zip code
- State
Per SuspectFile, in some of the data exposed, “it is possible to access information regarding the patient’s condition, laboratory tests performed, admission dates, medical treatments received, insurance name and type, and other related sensitive information.”
HIPAA Security Rule Compliance Will be Scrutinized
The critical issue in the lawsuits and the unavoidable government investigation is whether IRC followed the HIPAA Security Rule.
Did the company conduct an annual Risk Analysis? Does it have up-to-date policies and workforce training? Are there robust cybersecurity protocols in place?
Answers to these questions will shape the outcome of the investigations. If weak compliance contributed to the breach, the investigations will be drawn out and very expensive.
Plan ahead and ensure your HIPAA compliance is as good as it can be. Review your policies and conduct a HIPAA Risk Analysis. Document everything to prove you did your best to prevent cyber theft.