The Houston-based healthcare revenue cycle and management company recently filed a notice of data breach.
What happened
On October 11th, 2024, Gryphon Healthcare LLC filed a notice of a data breach with the Attorney General of Maine. The breach may have impacted personal and protected health information (PHI).
According to Gryphon’s data breach notice, the company first became aware of the breach on August 13th, when they discovered that a partner had been breached.
Gryphon provides medical billion services to the partner company, and that company’s breach resulted in unauthorized access to Gryphon’s data. The unauthorized user may have accessed files from individuals who received medical billing services from Gryphon.
Ultimately, it’s believed that up to 400,000 people’s information was accessed.
Going deeper
Upon discovering the breach, Gryphon began a review of impacted files, which concluded on September 3rd.
Gryphon determined the following information from current and former patients may have been affected: names, dates of birth, addresses, Social Security numbers, dates of service, diagnosis information, health insurance information, medical treatment information, prescription information, provider information, and medical record numbers.
Gryphon began contacting impacted individuals via email on October 11th, 2024.
Gryphon said they currently have “no evidence to suggest that any potentially impacted information has been misused because of this incident.”
The company also said they take “the privacy and security of all information within its possession very seriously.” After the incident, Gryphon said they have implemented “measures to enhance security and minimize the risk of a similar incident occurring in the future.”
The big picture
The health and medical system has become highly interconnected over the years, with man different agencies and businesses potentially having access to protected health information. These third-party organizations may be necessary for billing, giving referrals, administrative tasks, and more, but they also increase the risk of a data breach.
Every organization that handles protected health information must be vigilant protecting against breaches. Attackers are often opportunistic, looking for any organization–no matter how big or small–to attack.
Now that Gryphon has faced a breach, they may face further repercussions. It’s common for class action suits to be formed and other organizations have also faced penalties from the Department of Health and Human Services.
Related: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
