The Lyon Firm is investigating The Medical Review Institute of America data breach in which thousands of victims have been impacted. Patients may have had their data compromised in the November 2021 ransomware attack in which sensitive patient data may have been stolen.
Over 134,000 individuals may have been impacted by the Medical Review Institute data breach, and data breach notification letters have been sent out to those most vulnerable. The letter states that on November 9, 2021, Medical Review Institute discovered a cybersecurity incident which led to unauthorized access to its network. An investigation with third-party experts confirmed the data breach.
On November 12, 2021, MRoiA concluded that the attackers exfiltrated patients’ electronic protected health information (ePHI). The Medical Review Institute of America (MRoiA ) is provided with patient data by HIPAA-covered entities as part of the clinical peer review process of healthcare services.
MRoiA has not said whether or not ransomware was involved, although experts say the attack had the hallmarks of a double-extortion ransomware attack. MRoiA said on November 16, 2021 that any stolen data were retrieved and copies of the data have been deleted, which suggests a ransom demand was paid.
The Medical Review Institute says the following types of information may have been stolen:
- Home address
- Phone number
- Email address
- Date of birth
- Social Security number
- Medical history
- Diagnosis, treatment information
- Dates of service
- Lab test results
- Prescription information
- Provider name
- Medical account number
In response, MRIoA has been implementing additional cybersecurity safeguards, including:
- Monitoring of systems with advanced threat hunting and detection software
- Additional multi-factor authentication protections
- New servers to ensure all malware and threat remnants were removed
- Working with external third-party cybersecurity experts
- Enhancing employee cybersecurity training
- Reviewing, revising, and amending existing cybersecurity policies