Genesis Health Care, Inc. Reports Data Breach Following Period of Unauthorized Access – JD Supra

September 11, 2022

On September 2, 2022, Genesis Health Care, Inc. reported a data breach with the Office of the Montana Attorney General after the company discovered that an unauthorized party had access to its computer system for a period of nearly three months. While the company did not mention the type of information that was leaked as a result of the incident, under state reporting guidelines, a company only needs to report a breach if it involved consumers’ Social Security numbers, financial account information, protected health information or driver’s license numbers or state identification numbers. Thus, while it cannot be confirmed, it would appear that the Radiant Logistics breach involved one or more of these data types. After confirming the breach and identifying all affected parties, Genesis Health Care began sending out data breach letters to all affected parties.
If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Genesis Health Care data breach, please see our recent piece on the topic here.
The information about the Genesis Health Care, Inc. data breach comes from the Office of the Montana Attorney General. According to this source, on around April 11, 2022, Genesis detected suspicious activity within its computer network. In response, the company secured its computer systems, reported the incident to law enforcement, and then reached out to an outside cybersecurity firm to assist with the company’s investigation.
On June 9, 2022, the Genesis investigation confirmed that an unauthorized party had gained access to the company’s network on January 19, 2022, which lasted until the company discovered the intrusion on April 11, 2022. The company’s investigation also revealed that some of the files that were accessible by the unauthorized party contained sensitive consumer information.
Upon discovering that sensitive consumer data was accessible to an unauthorized party, Genesis Health Care began the process of reviewing all affected files to determine what information was compromised and which consumers were impacted by the incident. While the notice filed with the Montana AG does not outline the specific data types that were leaked, based on state reporting requirements, it is likely that the breach impacted Social Security numbers; protected health information; financial account information; or driver’s license numbers or state identification numbers.
On September 2, 2022, Genesis Health Care sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.
Genesis Health Care, Inc. is a nonprofit FQHC (Federally Qualified Health Center) healthcare provider based in Columbia, South Carolina. The company operates the following practices, all in the Pee Dee area of South Carolina:
Pee Dee Health Care
Olanta Family Care
Professional Pharmacy of Olanta
Lamar Family Care
Genesis Health Care
Florence Walterboro Family Care
Valcourt Pediatric Associates
Genesis Health Care Darlington
Professional Pharmacy of Darlington
Specialty Pharmacy
Genesis Health Care also operates Walterboro Family Care Center in nearby Walterboro, SC. The company provides a wide range of services to its patients, including primary care, preventative care, OB/GYN, lab diagnostics and pediatrics.
We know that the Genesis Health Care data breach affected sensitive patient information. However, because the company did not publicly release the specific data types that were compromised as a result of the incident, we cannot confirm the extent of the information that was leaked. That said, based on the nature of the company’s business in the healthcare industry, it is possible that the breach compromised patients’ protected health information.
Protected health information is any healthcare data that relates to a patient’s past or current health condition or how a patient pays or plans to pay for their healthcare. For example, blood test or CT scan results, details about an insurance claim, or a list of a patient’s current medications can all be considered protected health information.
However, healthcare-related data is not always considered protected. Under HIPAA, healthcare-related data is PHI if it contains one or more identifiers. Thus, if test results were leaked but did not contain an identifier, there would be no way for anyone to connect those results to the patient, and the data would not be considered PHI.
An identifier is an additional piece of information included along with the breached data that allows someone to match the data to a specific patient. Common identifiers include patients’ names, email addresses, physical addresses, photographs, fingerprints, or Social Security numbers. Thus, from a patient’s perspective, the fact that data is considered protected health information means that anyone who comes into possession of the leaked data will have sufficient information to carry out healthcare identity fraud.
Healthcare identity theft is similar to other types of identity theft because it involves an unauthorized person using another’s data for their own benefit. However, healthcare ID fraud is typically much more difficult to resolve than other types of identity theft. In part, this is due to the complexities of the healthcare industry.
Not only that, but unlike other forms of ID theft, healthcare identity theft can put patients’ health at risk. For example, cybercriminals will often sell stolen protected health information on the dark web. The person who buys the data likely does so because they are looking to obtain medical care in your name. Pretending to be you, they go to the doctor to receive treatment, giving the provider your insurance information.
When the doctor asks the fake patient for any relevant information, they will provide the doctor with their own information to ensure they receive the appropriate treatment. This can result in a situation where your medical record contains inaccurate information when you go to the doctor for treatment.
Victims of a data breach involving protected health information should be sure to take all necessary precautions, including reviewing their medical records and informing their providers. Patients who have questions about how to hold a company accountable for the theft of their information should reach out to a data breach lawyer for assistance.
See more »
DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
© Console and Associates, P.C. | Attorney Advertising
Refine your interests »
This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.
Back to Top
Explore 2022 Readers’ Choice Awards
Copyright © JD Supra, LLC


Article Tags:
Article Categories:

Leave a Reply

Your email address will not be published.

The maximum upload file size: 512 MB. You can upload: image, audio, video, document, spreadsheet, interactive, text, archive, code, other. Links to YouTube, Facebook, Twitter and other services inserted in the comment text will be automatically embedded. Drop file here