The Dallas-based organization recently faced a data breach impacting over 10,000 individuals.
What happened
Cornerstone Healthcare Group Management Services LLC recently filed a notice of a data breach. The organization provides long-term acute care and specialized rehabilitation to patients who need additional support after a hospital stay.
The company has 15 locations across Arizona, Arkansas, Louisiana, Oklahoma, Texas, and West Virginia. The organization is part of ScionHealth, a national healthcare system with approximately 94 healthcare campuses.
While the organization hasn’t released information to the Department of Health and Human Services, Cornerstone has begun issuing notices of a data breach and filed a notice with the Texas Attorney General.
According to the notice, the company faced a data breach at the end of 2023 that impacted at least 10,000 individuals. Impacted data may include names, addresses, Social Security numbers, dates of birth, driver’s license numbers, financial account information, medical information, and health insurance information.
Going deeper
Cornerstone began contacting impacted patients in early July. According to their report, Cornerstone first became aware of suspicious activity on the company’s IT network in December 2023.
The company determined that the data breach took place on December 19th, 2023, impacting Cornerstone and several unnamed organizations supported by Cornerstone.
Cornerstone continued investigating the breach, ultimately concluding their investigation on May 30th, 2024. While the incident did not disrupt patient care, the company determined that personal information had been accessed.
The company has also contacted law enforcement and a cybersecurity firm to assess the scope and cause of the data breach.
While the breach occurred over 6 months ago, the company said that the “notice has not been delayed because of a law enforcement investigation.” Cornerstone did not share why patients have only now begun to receive notices.
The company stated they are taking steps to improve its security practices and protect patient privacy.
What’s next
The incident shows how long the process can take from discovering a data breach to notifying patients. Lately, there has been an increased focus on data security and a rise in class action lawsuits.
Investigations are a necessary part of responding to a data breach, and healthcare organizations must carefully balance the investigative process while keeping impacted patients as informed as possible. For many patients, realizing months after the fact that they were part of a data breach can be an unwelcome surprise.
Like many healthcare organizations, Cornerstone is likely to face a class action lawsuit; multiple firms are already gearing up to begin the process.
The big picture
Cornerstone took responsibility for the breach, stating, “We take our responsibilities to both deliver outstanding care and to protect your information extremely seriously, and we are very sorry for any inconvenience that this incident may cause you.”
Related: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
