Medical Review Institute of America

On November 9, 2021, the Medical Review Institute of America (“MRIoA”) discovered that it was the victim of a sophisticated cyber incident that resulted in unauthorized access to its network. 

MRIoA has sent Notice of Data Breach letters on behalf of MRIoA customers which provided MRIoA information to facilitate a clinical peer review of a requested or received health care service.

Protected health information was, according to MRIoA, included in the incident. To date, however, MRIoA does not have “evidence indicating misuse of any of your information.”

According to MRIoA, “[t]he types of protected health information potentially involved (only if this information was provided to MRIoA by the organization named [in the data breach notification letter]) . . . demographic information (i.e., first and last name, gender, home address, phone number, email address, date of birth, and social security number); clinical information (i.e., medical history/diagnosis/ treatment, dates of service, lab test results, prescription information, provider name, medical account number, or anything similar in your medical file and/or record); and financial information (i.e., health insurance policy and group plan number, group plan provider, claim information). [Emphasis added.]

The following are some of MRIoA’s customers on whose behalf MRIoA submitted notification of the data breach:

Albertsons Companies • AllWays Health Partners • Ambetter from Home State Health • Ambetter From Superior Health Plan • Ambetter of North Carolina • Blue Cross & Blue Shield of Rhode Island • Blue Cross and Blue Shield of Minnesota • Blue Cross Blue Shield of Illinois • Blue Cross Blue Shield of New Jersey • Blue Cross Blue Shield of Texas • Cambia Health Solutions • Capital Blue Cross • Cary Medical Center • Florida Blue • General Dynamics • Genex Services, LLC • Government Employees Health Association, Inc. • Health New England • Horizon • Horizon Blue Cross Blue Shield of New Jersey • Magellan Rx Medicare Basic PDP • Maine General Health• National Elevator Industry Health Benefit Plan • North America Administrators • OptumRx • State of Maine Department of Administrative and Financial Services, Office of Employee Health and Wellness • Sullivan Tire • The Associates’ Health and Welfare Plan • Twin Rivers Paper Company • University of Arkansas Medical Benefit Plan • WellCare

Please click Notice of Data Breach for more details about the MRIoA data breach. 

Source: Office of The Maine Attorney General. 

Have You Been Impacted by A Data Breach?

If so, please complete the form on the right or contact Kehoe Law Firm, P.C., [email protected]for a free, no-obligation evaluation of potential legal claims.

Kehoe Law Firm, P.C. 

Equity Bank – Third Party’s Unauthorized Access To Bank’s Systems

137,950 Affected By External Data Breach Of Equity Bank’s Systems

Equity Bank’s “Notice of Data Event” stated that

[o]n or about November 2, 2021, Equity Bank experienced a security event within [its] systems after a third party obtained access to a limited amount of personal information. Equity Bank immediately took steps to resolve the disruption, eliminate the third party’s access, restore system usage, and investigate the nature and scope of the incident. On December 10, 2021, Equity Bank determined the individuals whose information may have been impacted by this event. The information that could have been subject to unauthorized access includes name, address, and financial account number. Equity Bank has no evidence of any actual or attempted misuse of this information. [Emphasis added.]

For more information about Equity Bank’s data breach, please click “Notice of Data Event – Equity Bank.”

Source: Office of the Maine Attorney General, Data Breach Notifications. 

Have You Been Impacted by A Data Breach?

If so, please complete the form on the right or contact Kehoe Law Firm, P.C., [email protected]for a free, no-obligation evaluation of potential legal claims.

Examples of the type of relief sought by data privacy class actions, include, but are not limited to, reimbursement of identity theft losses and of out-of-pocket costs paid by data breach victims for protective measures such as credit monitoring services, credit reports, and credit freezes; compensation for time spent responding to the breach; imposition of credit monitoring services and identity theft insurance, paid for by the defendant company; and improvements to the defendant company’s data security systems.

Data privacy class actions are brought on a contingent-fee basis; thus, plaintiffs and the class members do not pay out-of-pocket attorney’s fees or litigation costs.  Subject to court approval, attorney’s fees and litigation costs are derived from the recovery obtained for the class.

Kehoe Law Firm, P.C.

Ciox Health E-Mail Data Breach – Protected Health Information Impacted

Ciox Health’s (“Ciox”) “Notice Of EMail Security Incident” states that Ciox is working with its customers to notify individuals whose personal information may have been involved in a security incident which resulted in unauthorized access to the e-mail account of a Ciox employee.

The data incident notification stated that

[a]n unauthorized person accessed one Ciox employee’s email account between June 24, 2021, and July 2, 2021, and during that time may have downloaded emails and attachments in the account. Ciox reviewed the account’s contents to determine whether sensitive information was contained in the account. On September 24, 2021, Ciox learned that some emails and attachments in the employee’s email account contained limited patient information related to Ciox billing inquiries and/or other customer service requests. The review was completed on November 2, 2021.

Between November 23, 2021, and December 30, 2021, [Ciox] began the process of notifying our healthcare provider customers of this incident. Since then, [Ciox has] worked with the providers to notify the affected individuals whose information was identified by the review.

Ciox’s notice stated that “[t]he information involved included patient names, provider names, dates of birth, and/or dates of service. In very limited instances, the information involved may have also included Social Security numbers or driver’s license numbers, health insurance information, and/or clinical or treatment information.” [Emphasis added.]

According to Ciox, the “. . . employee whose email account was involved did not have direct access to any healthcare provider’s or facility’s electronic medical record system.”

Ciox provided a list of healthcare providers on whose behalf Ciox is furnishing notice of the e-mail data breach.  As of January 6, 2022, the list of healthcare providers listed on Ciox’s website included:

  • AdventHealth – Orlando
  • Alabama Orthopaedic Specialists
  • Baptist Memorial Health Care
  • Butler Health Systems
  • Cameron Memorial Community Hospital
  • Centra Health
  • Children’s Healthcare of Atlanta
  • Coastal Family Health Center
  • Copley Hospital
  • DeSoto Memorial Hospital Health System
  • EvergreenHealth
  • Hoag Health System
  • Hospital Sisters Health System
  • Huntsville Hospital Health System
  • Indiana University Health
  • McLeod Health System
  • MD Partners
  • Niagara Falls Memorial Medical Center Health System
  • Northern Light Mercy Hospital
  • Northwestern Medicine
  • Ohio State University Health System
  • OrthoConnecticut
  • Prisma Health – Greenville Health System
  • Prisma Health – Palmetto Health
  • Sarasota County Public Hospital District d/b/a Sarasota Memorial Health Care System
  • Trinity Health – Holy Cross Hospital
  • Trinity Health – Mount Carmel Health System
  • Trinity Health – Saint Alphonsus Health System
  • Trinity Health – St. Francis Medical Center
  • Trinity Health – St. Joseph Mercy Health System
  • Union Hospital Healthcare System
  • Women’s Health Specialist

Ciox’s data breach notification also stated that

[w]hile the investigation did not find any instances of fraud or identity theft that have occurred as a result of this incident, out of an abundance of caution, beginning December 30, 2021, Ciox will be working with [its] customers to notify patients whose information was reflected in the emails and/or attachments and for whom [Ciox] had sufficient contact information. [Ciox is] also providing resources involved individuals can use to help protect their information, including complimentary credit monitoring and identity protection services to the limited number of individuals whose Social Security numbers or driver’s license numbers were involved in this incident.

Ciox believes that the account access occurred for purposes of sending phishing emails to individuals unrelated to Ciox, not to access patient information. However, as a precaution, Ciox recommends individuals review statements received from their healthcare providers and health insurers. If they see charges for services they did not receive, they should contact the provider or insurer immediately.

Have You Been Impacted by A Data Breach?

If so, please complete the form on the right or contact Kehoe Law Firm, P.C., [email protected]for a free, no-obligation evaluation of potential legal claims.

Examples of the type of relief sought by data privacy class actions, include, but are not limited to, reimbursement of identity theft losses and of out-of-pocket costs paid by data breach victims for protective measures such as credit monitoring services, credit reports, and credit freezes; compensation for time spent responding to the breach; imposition of credit monitoring services and identity theft insurance, paid for by the defendant company; and improvements to the defendant company’s data security systems.

Data privacy class actions are brought on a contingent-fee basis; thus, plaintiffs and the class members do not pay out-of-pocket attorney’s fees or litigation costs.  Subject to court approval, attorney’s fees and litigation costs are derived from the recovery obtained for the class.

Kehoe Law Firm, P.C.

1,357,879 Affected By Data Breach Of Broward Health’s Network

North Broward Hospital District, D/B/A Broward Health, Data Security Incident Involving Personal Medical Information

Broward Health issued a “Notification of Breach Involving Personal Medical Information,” which stated that “[o]n October 15, 2021, an intruder who gained unauthorized access to the Broward Health network may have accessed some . . . personal information. Broward Health discovered the intrusion on October 19, 2021.”

According to the data breach notification letter, “[t]he personal medical information that was accessed may have included . . . name, date of birth, address, phone number, financial or bank account information, Social Security number, insurance information and account number, medical information including history, condition, treatment and diagnosis, medical record number, driver’s license number and email address. This personal information was exfiltrated, or removed, from Broward Health’s systems, however, there is no evidence the information was actually misused by the intruder.” [Emphasis added.]

According to the Office of the Maine Attorney General, 1,357,879 individuals have been affected by the data breach. 

For more information about the data breach, please click Broward Health’s Notification of Breach Involving Personal Medical Information.”

Source: Office of the Maine Attorney General, Data Breach Notifications. 

Have You Been Impacted by A Data Breach?

If so, please complete the form on the right or contact Kehoe Law Firm, P.C., [email protected]for a free, no-obligation evaluation of potential legal claims.

Examples of the type of relief sought by data privacy class actions, include, but are not limited to, reimbursement of identity theft losses and of out-of-pocket costs paid by data breach victims for protective measures such as credit monitoring services, credit reports, and credit freezes; compensation for time spent responding to the breach; imposition of credit monitoring services and identity theft insurance, paid for by the defendant company; and improvements to the defendant company’s data security systems.

Data privacy class actions are brought on a contingent-fee basis; thus, plaintiffs and the class members do not pay out-of-pocket attorney’s fees or litigation costs.  Subject to court approval, attorney’s fees and litigation costs are derived from the recovery obtained for the class.

Kehoe Law Firm, P.C.

PulseTV – Breach Affects Credit Card Details Of Approximately 201,000

PulseTV Security Incident – PulseTV’s Website Identified As A Common Point Of Purchase For Unauthorized Credit Card Transactions

PulseTV’s data breach notification letter reported a recent data security incident discovered on December 2, 2021 involving some information used to process online orders from the Company’s website, www.pulsetv.com.  

According to PulseTV’s breach notification letter:

[o]n November 18, 2021, [PulseTV’s] investigator learned that the website had been identified as a common point of purchase for a number of unauthorized credit card transactions for MasterCard. Based upon communications with the card brands, it is believed that only customers who purchased products on the website with a credit card between November 1, 2019 and August 31, 2021 may have been affected. The investigation was unable to verify that the website was the cause of the unauthorized transactions. However, in an abundance of caution, PulseTV is notifying customers . . . who purchased products on [PulseTV’s] website during that time period so that they can take steps to protect and secure their credit card information.

According to PulseTV’s notification letter, the compromised information, “may have included . . . name, address, email address, payment card number, expiration date, and card security code (CVV) provided during checkout.”

Please click PulseTV Individual Notice Template Letter for more information about the data breach. 

Source: Office Of The Maine Attorney General, Data Breach Notifications

Have You Been Impacted by A Data Breach?

If so, please complete the form on the right or contact Kehoe Law Firm, P.C., [email protected]for a free, no-obligation evaluation of potential legal claims.

Examples of the type of relief sought by data privacy class actions, include, but are not limited to, reimbursement of identity theft losses and of out-of-pocket costs paid by data breach victims for protective measures such as credit monitoring services, credit reports, and credit freezes; compensation for time spent responding to the breach; imposition of credit monitoring services and identity theft insurance, paid for by the defendant company; and improvements to the defendant company’s data security systems.

Data privacy class actions are brought on a contingent-fee basis; thus, plaintiffs and the class members do not pay out-of-pocket attorney’s fees or litigation costs.  Subject to court approval, attorney’s fees and litigation costs are derived from the recovery obtained for the class.

Kehoe Law Firm, P.C.

Monongalia Health System Data Breach – 398,164 Individuals Affected

Unauthorized Individuals Gained Access To Certain Mon Health E-Mail Accounts – Patient, Provider, Employee, And Contractor Information May Have Been Accessed

In a “Notice of Data Security Incident,” “Mon Health” (i.e., Monongalia Health System, Inc., including affiliated hospitals Monongalia County General Hospital Company and Stonewall Jackson Memorial Hospital Company) reported the following:

Mon Health determined that unauthorized individuals gained access to certain Mon Health email accounts between the dates of May 10, 2021 and August 15, 2021. In response, Mon Health secured the email accounts and reset their passwords.

Based on its investigation, Mon Health believes the purpose of the unauthorized access to the email accounts was to obtain funds from Mon Health through fraudulent wire transfers and to perpetrate an email phishing scheme, not to access personal information. That said, Mon Health cannot rule out the possibility that emails and attachments in the involved Mon Health email accounts containing patient, provider, employee, and contractor information may have been accessed as a result of this incident.

Thus, out of an abundance of caution, Mon Health conducted a comprehensive search of the contents of those email accounts to identify the information they contained. Through this search, Mon Health identified emails and attachments that contained the following information relating to patients and members of Mon Health’s employee health plan: names, Medicare Health Insurance Claim Numbers (which could contain Social Security numbers), addresses, dates of birth, patient account numbers, health insurance plan member ID numbers, medical record numbers, dates of service, provider names, claims information, medical and clinical treatment information and/or status as a current or former Mon Health patient. [Emphasis added.]

The U.S. Department of Health and Human Services, Office for Civil Rights, Breach Portal, reflects the hacking/IT incident affected 398,164 individuals. 

To view the Notice of Data Security Incident, please click “Mon Health”

Have You Been Impacted by A Data Breach?

If so, please complete the form on the right or contact Michael Yarnoff, Esq., (215) 792-6676, Ext. 804, [email protected][email protected]for a free, no-obligation evaluation of potential legal claims.

Examples of the type of relief sought by data privacy class actions, include, but are not limited to, reimbursement of identity theft losses and of out-of-pocket costs paid by data breach victims for protective measures such as credit monitoring services, credit reports, and credit freezes; compensation for time spent responding to the breach; imposition of credit monitoring services and identity theft insurance, paid for by the defendant company; and improvements to the defendant company’s data security systems.

Data privacy class actions are brought on a contingent-fee basis; thus, plaintiffs and the class members do not pay out-of-pocket attorney’s fees or litigation costs.  Subject to court approval, attorney’s fees and litigation costs are derived from the recovery obtained for the class.

Kehoe Law Firm, P.C.