Conifer Revenue Cycle Solutions, a Dallas-based company that manages revenue and administrative services for healthcare providers, made a statement on Aug. 12 that it “experienced a cybersecurity incident that may have affected your personal information.”
Conifer is currently providing this notice on behalf of the following healthcare providers: San Antonio-based Baptist Health System; Resolute Health Hospital in New Braunfels; The Hospitals of Providence Memorial Campus in El Paso and Valley Baptist Medical Centers in Brownsville and Harlingen. The vendor sent a separate notice to Alabama patients on behalf of Brookwood Baptist Medical Center in Birmingham.
The statement provided by Conifer does not provide the number of individuals impacted by the breach, but the U.S. Department of Health and Human Services Office for Civil Rights Breach Portal has the number at 2,787.
The statement says that “On April 14, 2022, Conifer learned that an unauthorized third party gained access to a Microsoft Office 365-hosted business email account. Upon discovery, Conifer immediately began an investigation, and engaged a leading security firm. Based on the investigation, the unauthorized party was able to access the business email account at Conifer on January 20, 2022. This email account is separate from Conifer’s internal network and systems, which were not affected by this incident.”
Moreover, “Based on a detailed review conducted between June 13, 2022 and August 3, 2022, it was determined that your personal information associated with a healthcare provider was in the impacted business email account. Even though Conifer conducted a thorough investigation, it was not possible to conclusively determine whether personal information was actually accessed by the unauthorized party. To date, we are not aware of any misuse of your data.”
The statement adds that the personal information involved in the incident may have included full name, date of birth, address; social security number, driver’s license/state ID number, and/or financial account information; medical and/or treatment information (medical record number, dates of services, provider and facility, diagnosis/symptom information, and prescription/medication information); health insurance information (payer name and subscriber Medicare/Medicaid number); and billing and claims information. Not all of the data elements were involved for all individuals impacted, according to the statement.
“Conifer takes privacy and security very seriously. In response to this incident, Conifer immediately took action to block malicious IP addresses and URLs,” the statement explains. “In addition, the password for the impacted account was reset shortly after the unauthorized access. Conifer has enhanced and continues to enhance its security controls and monitoring practices as appropriate to minimize the risk of any similar incident in the future, and Conifer accelerated its implementation of multi-factor authentication for business email accounts within the environment.”