Specialty Networks, Inc. experienced a data breach in December 2023, compromising the protected health information of 411,037 patients.
Specialty Networks, a provider of radiology information systems and digital transcription services, has reported a data breach involving 411,037 patients' protected health information. The breach occurred between December 11 and 18, 2023, and files containing sensitive patient data were exfiltrated. The company delayed announcing the breach because it took time to review affected files. Affected individuals were notified and offered credit monitoring and identity theft protection services.
Between December 11 and 18, 2023, Specialty Networks, Inc. experienced a breach in its IT environment, during which unauthorized access was gained, and sensitive patient data was exfiltrated. The breach was detected on December 18, 2023, prompting a forensic investigation to determine the extent of the compromise. By May 31, 2024, Specialty Networks confirmed that protected health information (PHI) had been compromised. Subsequently, on June 24, 2024, the company began notifying its covered entity clients and coordinating with affected providers to verify the compromised information and gather updated contact details for those impacted. On August 15, 2024, Specialty Networks publicly announced the breach and notified the 411,037 affected individuals, offering complimentary credit monitoring and identity theft protection services.
Related: Who is responsible for a data breach?
The breach involved the unauthorized access and exfiltration of sensitive PHI, including Social Security numbers, medical records, and health insurance details, putting over 400,000 individuals at risk of identity theft and financial fraud. Such incidents can damage patient confidence, as individuals rely on healthcare providers to safeguard their personal information. The breach also carries regulatory and legal implications under laws like HIPAA, potentially leading to fines, lawsuits, and increased scrutiny for Specialty Networks.
Related: HIPAA Compliant Email: The Definitive Guide
HIPAA, the Health Insurance Portability and Accountability Act, is a federal law that sets standards for protecting sensitive patient information. It requires healthcare providers, health plans, and their business associates to implement safeguards to ensure the confidentiality, integrity, and security of PHI. Compliance with HIPAA is essential to protect patient privacy and avoid legal and financial penalties.
A business associate is a person or entity that performs certain functions or activities on behalf of, or provides services to, a covered entity that involves the use or disclosure of PHI.
Read also: How to know if you’re a business associate
HIPAA requires business associates to comply with the same standards for protecting PHI as covered entities. This includes implementing administrative, physical, and technical safeguards, conducting risk assessments, and ensuring that any subcontractors also comply with HIPAA requirements. Failure to comply can result in significant penalties and legal action.