Patients who need specialty care turn to a trusted provider for help. They trust the provider will provide expert medical service, but also will keep their private information secure. For 350,000 patients that trust was recently interrupted by a devastating cyber incident..
Cyber thieves broke into the IT network at BioPlus Specialty Pharmacy Services (BioPlus) and stole protected health information (PHI) belonging to 350,000 individuals between late October and early November, 2021. BioPlus offers therapy management services that develops individual therapeutic care plans. The pharmacy helps to manage hepatitis, crohn’s disease, multiple sclerosis, rheumatoid arthritis, psoriasis, psoriatic arthritis, and cancer. Headquartered in Florida, BioPlus has locations in California, Florida and North Carolina.
On December 10, BioPlus explained on its website that they noticed suspicious activity on their network on November 11 and immediately took steps to isolate and secure their systems. They also launched an investigation with the assistance of a third-party forensic firm and notified law enforcement. The cyber thieves likely accessed patient names, dates of birth, addresses, medical record numbers, current/former health plan member ID numbers, claims information, diagnoses, and/or prescription information, and for some, Social Security numbers were taken. This breach is one of the largest reported to the U.S. Department of Health and Human Services (HHS) breach reporting portal in December.
Medical Identity Theft is More than Financial Theft
BioPlus mailed a notice to patients on December 10 explaining what happened and offering complimentary credit monitoring for one year. This notice is similar to nearly every one we’ve seen from providers to affected patients, but in our opinion falls short.
For patients whose medical identity is stolen, the risks go far beyond credit card fraud and financial concerns. Criminals can use medical identity to obtain medical care, including prescription drugs and expensive surgeries. When a patient’s medical identity is used by someone else, their own medical records are compromised and can contain incorrect information, putting their safety at risk.
Notices from providers to patients should include advice about monitoring medical records to ensure they remain accurate and only reflect their personal medical identity. Monitoring should continue for life, not just for a year because medical identity theft can take longer to surface than other forms of identity theft.
HIPAA Risk Management
More needs to be done to prevent medical identity theft. Details of how this incident occurred at BioPlus are not publicly known, although HHS will investigate since all breaches affecting 500 or more individuals are investigated. HHS will ask whether a Risk Analysis was performed, and whether it included a security risk assessment. BioPlus’s HIPAA policies, procedures and workforce training records will be scrutinized. If more needs to be done to protect patient data going forward, BioPlus may become stronger. For now though, 350,000 patients are at risk for medical identity theft.