Health Recovery Services leaked data of more than 20,000 clients

An unauthorized IP address caused leakage of over 20,000 Health Recovery Services clients' data

The Health Recovery Services company was leaking sensitive information of 20,485 patients since November 14, 2018

Health Recovery Services (HRS) released a report on April 5, 2019, which detailed a data breach that affected 20,485 of the company's patients. The informative statement explained that the infringement occurred due to network intrusion from an unauthorized IP address, and affected HRS servers since November 14, last year.^[1]

However, the company officials found out about the activity only on February 5, 2019 – this signifies that details were being leaked unnoticed for a three-month duration:^[2]

On March 15, 2019, our third-party forensic expert determined that the unauthorized access to our network occurred from November 12, 2018, until its discovery on February 5, 2019.

HRS claims to has launched the investigation immediately after the malicious activity was discovered by the staff. The organization states that its networks and systems were disconnected and disabled. Also, experts have rebuilt the entire network system just to be sure that it is fully secure and no more suspicious actions are being performed.

According to the notice, the information included patient demographic data. However, those who enrolled in the clinic after 2014 might have their health insurance details, diagnoses, treatments provided, medical history and, in some cases, even Social Security Number compromised.

Patients from 2014 and over might have got their medical data and SSNs leaked

The provider of health and addiction-curing services claims that there is no information that some type of third-party or a hacker has accessed the data that was exposed. However, Health Recovery Services admit that there was a wide range of information that had been exposed during the incident. The vulnerable server was storing personal details such as patients' date of birth, name/surname, residence address, contact number.

Nevertheless, HRS claims that people who became clients after 2014 might have additional data leaked. This sensitive information includes medical and healthcare data, details about patients' diagnosis and treatment. Some Social Security Numbers might also have been breached during the incident. However, the healthcare organization informed every potential victim:^[3]

Out an abundance of caution, we are providing notice of this incident to any individual that may be affected by the data event given we cannot rule out unauthorized access to this information occurred.

Data breaches affect numerous healthcare organizations worldwide

Data breaches are nothing new and, 2018 being the year of “data breach tsunami,” seems like the trend is continuing in 2019 also.

For example, Metrocare Services located in Texas notified about 5,000 clients on the 5th of April that their data might have been leaked due to a malicious actor that found a way to gain access to an email account of one of the company's employees.^[4]

The breach was discovered on February 6, this year, while particular details were indeed being leaked since January. This incident also included a wide range of information that was widely exposed:

• Name/surname.
• Birthdate.
• Address.
• Driver license number.
• SSN.
• Healthcare data.

In another event, California's Centrelake Medical Group was hit by ransomware, which resulted in data exposure of the company's clients.^[5] The malicious individuals managed to breach the internal network and access Social Security Numbers, driver's license number, demographic details, health insurance number, disease and treatment history, and other data.

However, this is just a small part of information breaches that have occurred recently. There are other affected companies such as Klaussner Furniture Industries, Clearway Patient Solutions, Questcare Medical Services, etc. While regular users themselves cannot change anything about data breaches that occur in companies that store their medical information, it would be a wise idea to use strong passwords and adding two-factor authentication^[6] for all the accounts created online.