Sharecare Health Data Services Issues Alert 8 Months After Breach Discovery

By Elizabeth Hernandez

Sharecare Health Data Services (SHDS), a San Diego firm that provides secure electronic exchange and medical records management services for healthcare groups, has contacted some of its clients to advise them that hackers gained access to parts of its systems that contained sensitive patient data.

SHDS discovered abnormal network activity on June 26, 2018, leading to an in-depth investigation. The investigation showed cyber criminals obtained access to systems containing protected health information as early as May 21, 2018. Access remained open until June 26, 2018, during which time PHI was accessed and downloaded by the hackers to locations outside the U.S.

SHDS hired a cybersecurity firm Mandiant to help with the forensic investigation of the breach. The breach was also made known to the FBI and SHDS has been assisting with its investigation.

SHDS has since implemented new measures to enhance security and prevent further breaches. Data retention policies have been revised, maintenance communications and protocols have been strengthened to ensure continuity across its network, and SHDS has contracted a third-party firm to provide 24/7 monitoring of its data systems.

On December 31, 2018, Sharecare Health Data Services alerted at least two healthcare groups that their data had potentially been accessed due to the attack – Mover five months after the discovery of the breach. No reason for the delayed notification has been given.

Los Angeles-based healthcare supplier AltaMed Health Services Corporation has announced that almost 6,000 patients were impacted by the breach. In its breach notice to the California Attorney General, AltaMed said the information obtained by the hackers was resticted to names, addresses, birth dates, unique patient ID numbers, addresses where healthcare services were given, and for some patients, internal SHDS processing notes and medical record numbers. Social Security numbers, financial data, and detailed clinical information were not obtained in the attack. Patients impacted by the breach were alerted on February 15, 2019 and have been offered 12 months of credit monitoring and identity theft protection services for free.

The California Physicians’ Service, operating as Blue Shield of California, has also alerted the California Attorney General about the breach.  Blue Shield of California members impaced by the breach have had the following information stolen: Names, addresses, birth dates, BlueShield ID numbers, addresses where healthcare services were given, and for some patients, internal SHDS processing memos, medical record numbers, and provider identities. 12 months of credit monitoring and identity theft protection services have also been offered for free. Those services can be renewed annually for individuals that remain BlueShield clients.

According to the breach summary published on the OCR website, 18,416 Blue Shield of California subscribers have had their PHI exposed due to the SHDS breach.

It is currently not confirmed how many other healthcare clients have been affected by the SHDS breach.

Twitter Facebook LinkedIn Reddit Link copied to clipboard
Elizabeth Hernandez works as a reporter for NetSec.news. Her journalism is centered on IT compliance and security. With a background in information technology and a strong interest in cybersecurity, she reports on IT regulations and digital security issues. Elizabeth frequently covers topics about data breaches and highlights the importance of compliance regulations in maintaining digital security and privacy. Follow on X: https://twitter.com/ElizabethHzone