Medibase data breach exposes sensitive information of 35,106 patients

Recently, Medibase, a prominent IT service provider for healthcare organizations based in Georgia impacted 35,106.

What happened 

On January 26, 2024, an unauthorized third party managed to access sensitive personally identifiable information and protected health information stored in Medibase's systems. The compromised data includes names, Social Security numbers, dates of birth, medical details like admit and discharge dates, outstanding balance amounts, and health insurance information. 

As soon as Medibase discovered the breach, they promptly launched an investigation to understand the extent of the intrusion and to mitigate any potential harm. On July 5, 2024, Medibase began the process of notifying the affected individuals, aiming to keep them informed and advise them on steps to protect their personal information. 

See also: Communications that must remain HIPAA compliant

Going deeper

The recent data breach is not an instance of unauthorized access in the company with class action being filed for a failure to meet industry standards for data protection on 12 July 2024. Elena Girenko has initiated the class action lawsuit against The Medibase Group, Inc., and Staten Island University Hospital, attributing their lack of rigorous data security measures as the cause of a substantial data breach. This breach led to unauthorized access to sensitive and protected health information of countless individuals. 

According to the lawsuit, the breach, which occurred around January 26, 2024, was a direct result of the defendants' failure to implement, monitor, and maintain adequate security protocols that are standard in the industry. The lawsuit aims to hold Medibase and the hospital accountable for this failure, seeking compensation for those affected and demanding that both institutions adopt stricter security measures to prevent future breaches. 

What was said 

In their security notice, Medibase stated, “Medibase does not believe the unauthorized party targeted any individual’s personal information or intended to harm individuals. Instead, the evidence suggests the unauthorized party was motivated to target Medibase and its company information, as is common with these types of cybersecurity incidents.”

The opening line of the class action provides, “This class action arises out of Defendants’ failures to implement reasonable and industry standard data security practices to properly secure, safeguard, and adequately destroy Plaintiff and Class Members’ sensitive personal identifiable information that it had acquired and stored for its business purposes.”

See also: HIPAA Compliant Email: The Definitive Guide

FAQs

What is a data breach? 

A data breach occurs when sensitive, protected, or confidential information is accessed or disclosed without authorization.

What is a class action? 

A class action is a lawsuit filed by one or more individuals on behalf of a larger group of people who are affected by the same issue.

What is PHI? 

Protected health information is any personal health information that could be used to identify an individual and that was created, used, or disclosed in the course of providing healthcare services.