Following an attempted ransomware attack that took place November 13, 2020, AllyAlign Health breach alerts have been sent to make members and providers aware of the privacy violation.
According to the breach notification letters sent to affected individuals, the Glen Allen, VA-based Medicare Advantage health plan administrator discovered the attack on November 14, 2020. A review of the incident found the systems infiltrated by the hackers included members’ first and last names, addresses, dates of birth, Social Security numbers, Medicare health insurance claim numbers, Medicare beneficiary identifiers, medical claims records, health insurance policy numbers, and other medical data.
Providers impacted by the breach have been made aware that names, addresses, dates of birth, Social Security numbers, and Council for Affordable Quality Healthcare (CAQH) credentialing data may have been infiltrated.
It remains unknown exactly how many people have been impacted by the incident. According to the breach alert issued to the Maine Attorney General, the protected health information of 76,348 individuals was possibly compromised. The breach report sent to the Department of Health and Human Services’ Office for Civil Rights indicates 33,932 individuals have been impacted.
The Attorney General alert indicates AllyAlign Health first identified the security breach on February 2, 2021. This could be the date when the breach investigation came to an end, and the amount of people impacted became known.
AllyAlign Health confirmed that it acted quickly to address the breach and contracted IT specialists to ensure the security of its databases and systems. Since the breach took place, policies and processes have been assessed and revised relating to the security of its systems and servers and information life cycle management. Alert letters were sent to impacted people on February 26, 2021 and credit monitoring and identity theft protection services have been provided. AllyAlign Health said no reports have been received that indicate improper use of member or provider information.