Massive Renal Care Network Announces Breach via HealthEC’s 2023 Incident
Table of Contents
- By Steven
- Published: Feb 13, 2024
- Last Updated: Feb 15, 2024
U.S. Renal Care (Renal) is a 32-state, 400-location, 26k-patient healthcare provider primarily concerned with kidney disease and longevity; Renal offers in-facility and at-home dialysis solutions. Renal’s significant treatment network is made possible by various third-party vendors, from equipment solutions to transcription services. HealthEC (Everyone Connected) is one of these vendors—they offer population health technology to institutional entities and store some data associated with their clients’ patients. In mid-2023, an unknown threat actor victimized HealthEC; as it turns out, this event compromised the data of patients (and presumably associates) of Renal. According to the filing published by the Texas Attorney General’s Office, the exposures include 132,759 individuals.
How Did the Attack Occur?
The details about this attack come primarily from HealthEC’s published statement of the event. According to this statement, an unauthorized actor accessed HealthEC’s network environment and copied its files. These files held information about HealthEC’s clients and some of those clients’ patients and associates. Renal’s data was presumably in these stolen files—as was the data of many other HealthEC clients. It is unclear how the unauthorized actor made the attack possible; however, signs point to system manipulation rather than employee error or permission misconfigurations.
What Information Was Viewed or Stolen?
The assailants stole a significant variety of information in HealthEC’s event. Officials will notify victims about their specific impacts via mail. However, until these notices are received, victims may consider taking action themselves. According to the HealthEC website statement, the data compromised in this event may include victims’ names, addresses, birthdays, Social Security Numbers, tax IDs, medical record numbers and information (including diagnosis and provider details), health insurance details (including Medicaid/Medicare numbers and subscriber numbers), and billing/claims data (including patient IDs, treatment costs, and account numbers). Combined, the exposures of these data elements significantly increase the likelihood of future data misuse.
How Did Renal Care Admit to the Breach?
According to HealthEC’s statement, the assault occurred around July 14th, 2023; the unauthorized actor accessed the environment that day and remained there until around July 23rd. Officials presumably found the assailant and expelled them from the system on the same day. Investigations began immediately and concluded around October 24th. HealthEC then began notifying impacted clients two days later. Officials also notified the state attorney generals around February 9th, 2024.
What Will Become of the Stolen Information?
Despite victims having different impacts from this event, all remain at risk for data misuse in the future. Misuse can occur whenever the assailants sell the data or use it for future schemes; this means victims are at risk for identity, financial, and medical fraud. Some may be at risk for account takeovers or, impersonations, even extortion. Victims don’t need to wait to find out how at-risk their data is—they can act immediately.
What Should Affected Parties Do in the Aftermath of the Breach?
HealthEC’s response to the event includes optional steps like adding fraud alerts and credit freezes to any accounts potentially victimized by the incident; however, these aren’t enough to protect a family from the consequences of a breach. In addition to these steps, victims should secure their accounts with new passwords and contact information, implementing the highest security measures wherever possible. They must also request quarterly or bi-annual account statements from their providers—if there’s anything suspicious within those documents, they might be victims of medical or entitlement fraud. Although officials have sent notices, victims don’t have to wait for their letters to safeguard their data; they can start immediately.
