Console and Associates, P.C.

15 Anesthesia Practices Confirm Recent Data Breach Stemming from Incident at “Management Company” | Console and Associates, PC

Last month, on September 23, 2022, 15 anesthesiologist practices across the United States filed notices of a data breach with the US Department of Health and Human Services Office for Civil Rights. Earlier this week, six of the same practices (and two others that had not filed with the HHS OCR) filed notice of the breach with the Montana Attorney General. According to the anesthesiologist practices’ filings with the Montana Attorney General, the breach affected patients’ names, Social Security numbers, dates of birth, driver’s license numbers, financial account information, health insurance policy numbers, Medical Record Numbers, Medicaid or Medicare identification numbers , and health information such as treatment and diagnosis info. Recently, each of the anesthesia practices sent out data breach letters to all affected parties, informing them of the incident and what they can do to protect themselves from identity theft and other frauds.

What We Know About the Various Anesthesiologist Data Breaches

The available information regarding the various anesthesiologist breaches comes from the companies’ filings with the Attorney General of Montana and, to a lesser extent, with the US Department of Health and Human Services Office for Civil Rights.

On September 23, 2022, the following anesthesiologist practices filed notice with the US Department of Health and Human Services Office for Civil Rights:

  • Upstate Anesthesia Services PC

  • Resource Anesthesiology Associates PC

  • Resource Anesthesiology Associates of IL PC

  • FMC Services, LLC

  • Resource Anesthesiology Associates of CA A Medical Corporation

  • Providence WA Anesthesia Services PC

  • Palm Springs Anesthesia Services PC

  • Lynbrook Anesthesia Services PC

  • Hazleton Anesthesia Services PC

  • Grayling Anesthesia Associates PC

  • Fredericksburg Anesthesia Services LLC

  • Bronx Anesthesia Services PC

  • Anesthesia Services of San Joaquin PC

  • Anesthesia Associates of Maryland LLC

  • Anesthesia Associates of El Paso PA

However, the information provided on the HHS OCR page is limited, and all that could be gleaned from the posting was that the breaches all involved a “hacking / IT incident” of a network server.

Subsequently, on October 24, 2022, several of the same organizations filed notice of a breach with the Attorney General of Montana, including:

  • Providence WA Anesthesia Services PC

  • Resource Anesthesiology Associates of MO LLC

  • Fredericksburg Anesthesia Associates LLC

  • Anesthesia Services of El Paso PA

  • Resource Anesthesiology Associates of CA PC

  • Anesthesia Services of San Joaquin PC

  • Resource Anesthesiology Associates of MI PC

  • Resource Anesthesiology Associates of IL PC

The Montana Attorney General’s website provides links to the data breach letters sent to affected patients, which gives additional details about the incident. Interestingly, all of the anesthesiology practices that reported a breach with the Montana AG uploaded identical letters outlining the same basic facts.

Obviously, on September 22, 2022, each of the practices was informed that its management company detected unusual activity within its computer network. The letter explains that the management company provides administrative services to the filing entity, which is presumably how the management company came into possession of patient data.

After noticing the unusual activity, the management company secured its system and enlisted the assistance of a third-party data security firm to investigate the incident. The company’s investigation confirmed that there was unauthorized access to patient information.

Upon discovering that sensitive consumer data was made available to an unauthorized party, the management company began to review the affected files to determine what information was compromised and which consumers were impacted. While the breached information varies depending on the individual, it may include your name, Social Security number, date of birth, driver’s license number, financial account information, health insurance policy number, Medical Record Number, Medicaid or Medicare identification number, and health information such as treatment and diagnosis information.

Subsequently, each of the anesthesia practices sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident. In total, it appears that there were over 386,000 people affected by these data breaches.

The Identity of the Management Company Is Still a Mystery

Based on the data breach letters, it would appear that the breach originated at the management company and that the individual anesthesiology practices servers were not subject to unauthorized access. However, one important fact that is missing in each of the data breach letters is the name of the management company—nowhere is the company listed by name, with the letter only referring to the company as the “management company.”

However, because 15 anesthesiologist practices all reported a breach with the HHS OCR on the same day, and six of the same practices provided identical data breach letters a month later, it would appear that it is the same management company involved with each of the breaches . While it cannot be confirmed at this point, through independent research, Console & Associates, PC has identified a large anesthesia practice management group that has ties to many of the practices that filed notice of the breach. However, until that company comes forward and acknowledges its role in these data breaches, there is still some level of speculation.

If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the data breach, please see our recent piece on the topic here.

Leave a Comment

Your email address will not be published. Required fields are marked *