US dental and medical billing firm Medusind is notifying over 360,000 customers that their personal, financial and medical data may have been accessed by a cybercriminal actor.
The breach relates to a cyber incident that took place back on December 29, 2023, and was discovered later the same day.
After taking affected systems offline, Medusind hired a cybersecurity forensic firm to conduct an investigation. This investigation uncovered evidence that a threat actor obtained a copy of certain files containing sensitive customer information, including:
- Health insurance and billing information, such as insurance policy numbers or claims/benefit details
- Payment information, such as credit/debit card numbers or bank account information
- Health data, such as medical history, medical record number or prescription information
- Government identification, such as Social Security number, taxpayer ID, driver’s license or passport number
- Other personal information, such as date of birth, email, address or phone number
Medusind noted that the type of information accessed depends on the individual.
Those impacted by the incident are being offered two years of complimentary credit monitoring identification protection services.
Victims are also encouraged to continuously review their account statements and monitor credit reports for any suspicious activity.
Medusind has not provided any details on the identity of the attacker or how the firm’s systems were accessed.
The Florida-based company added that it has implemented “enhanced security measures” designed to prevent similar intrusions occurring, although no further details have been provided on such measures.
Medusind operates 12 locations in the US and India. It also provides revenue cycle management services to over 6000 healthcare providers.
US Healthcare Breaches in the Spotlight
The Medusind breach notification follows a number of high-profile data breaches of US healthcare providers in 2024.
This includes the Change Healthcare ransomware attack in February, 2024, which has led to more than 100 million Americans’ personal data being breached.
A ransomware attack on Ascension in May in resulted in 5.6 million individuals having their sensitive personal, medical and financial information breached.
In December, the US Department of Health and Human Services (HHS) published plans to update the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.
These proposed changes are designed ensure all health plans, healthcare clearing houses and healthcare providers in the US implement enhanced security measures for individuals’ protected health information (PHI).