Medical Review Institute of America logo Image source: (MRIoA (healthitdirectory.com), 2016)
One-sentence summary:
Medical Review Institute of America suspected ransomware and data breach via Sonicwall affects 134,000, results in five class-action lawsuits and a $2.6 million settlement despite data deletion.
Who was involved?
Medical Review Institute of America (MRIoA), Blue Cross and Blue Shield of Illinois (BSBSIL), potentially 134,571 patients, and a threat actor.
30 additional clients of MRIoA are listed on MRIoA’s Maine OAG breach notice which may have supplied MRIoA with PHI or PII:
- Albertsons Companies
- AllWays Health Partners
- Ambetter from Home State Health
- Ambetter From Superior Health Plan
- Ambetter of North Carolina
- Blue Cross & Blue Shield of Rhode Island
- Blue Cross and Blue Shield of Minnesota
- Blue Cross Blue Shield of Illinois
- Blue Cross Blue Shield of New Jersey
- Blue Cross Blue Shield of Texas
- Cambia Health Solutions
- Capital Blue Cross
- CARY MEDICAL CENTER
- Florida Blue
- General Dynamics
- Genex Services, LLC
- Government Employees Health Association, Inc.
- Health New England
- Horizon
- Horizon Blue Cross Blue Shield of New Jersey
- Magellan Rx Medicare Basic PDP
- MAINEGENERAL HEALTH
- National Elevator Industry Health Benefit Plan
- NORTH AMERICA ADMINISTRATORS
- OptumRx
- State of Maine Department of Administrative and Financial Services, Office of Employee
Health and Wellness - SULLIVAN TIRE
- The Associates’ Health and Welfare Plan
- Twin Rivers Paper Company
- University of Arkansas Medical Benefit Plan
- WellCare (Pollock, 2022b, p. 10)
What was the timeline?
June 25, 2021: Medical Review Institute of America achieves HITRUST CSF Certification
November 2, 2021: Breach starts at MRIoA via Sonicwall
November 9, 2021: Medical Review Institute of America discovers it is undergoing a potential breach/cyberattack
November 12, 2021: MRIoA discovers data is breached as part of the attack
November 16, 2021: Medical Review Institute of America confirms data was deleted
January 7, 2022: MRIoA reports the breach to HHS and begins consumer notification
February 03, 2022: Class-action lawsuit is filed against Medical Review Institute of America (and Blue Cross and Blue Shield of Illinois (BSBSIL)) in federal court in northern Illinois (Dean v. Medical Review Institute of America, LLC et al, 2022)
March 16, 2023: MRIoA settles five outstanding class-action lawsuits with a potentially capped $2.6 million settlement (IN RE MEDICAL REVIEW INSTITUTE OF AMERICA, LLC, DATA BREACH LITIGATION, 2023, p. 5)
What occurred?
Medical Review Institute of America (MRoiA) was breached in November 2021 via Sonicwall by a potential ransomware group, affecting over 134,571 patients and their sensitive data (HHS, 2022; Alder, 2022; Pollock, 2022b, p. 1). Despite having the data deleted (via suspected ransom payment) (Alder, 2022), the following sensitive data was allegedly breached: “demographic information (i.e., first and last name, gender, home address, phone number, email address, date of birth, and social security number); clinical information (i.e., medical history/diagnosis/treatment, dates of service, lab test results, prescription information, provider name, medical account number, or anything similar in your medical file and/or record); and financial information (i.e., health insurance policy and group plan number, group plan provider, claim information)” (Pollock, 2022b, pp. 1-2). The breach resulted in over five class action lawsuits being filed against MRoiA which all settled in March 2023 for a maximum amount of $2.6 million, among $487,500 in attorney fees and other costs (IN RE MEDICAL REVIEW INSTITUTE OF AMERICA, LLC, DATA BREACH LITIGATION, 2023, pp. 5-6).
Estimated costs:
Associated incident response costs, breach notification costs, potential ransom payment (Alder, 2022, para. 4), litigation defense, “third-party forensic and incident response experts,” $2.6 million settlement to consumers, $487,500 in attorney fees to plaintiffs (IN RE MEDICAL REVIEW INSTITUTE OF AMERICA, LLC, DATA BREACH LITIGATION, 2023, p. 6), M-F call center, 12 months of Kroll identity monitoring
Involved laws:
Federal: HIPAA and HITECH; Section 5 of the FTC Act, 15 U.S.C. § 45 (Dean v. Medical Review Institute of America, LLC et al, 2022, p. 13)
State: Maine: 10 M.R.S.A. § 1346
Massachusetts: 201 CMR 17.00 and M.G.L.A. 93H § 1
Illinois: Illinois Consumer Fraud and Deceptive and Deceptive Business Practices Act (“CFA”), 815
Ill. Comp. Stat. §§ 505/1, et seq. (Dean v. Medical Review Institute of America, LLC et al, 2022, p. 4)
815 ILCS 505/2 (Dean v. Medical Review Institute of America, LLC et al, 2022, p. 51)
Root cause:
Known Sonicwall vulnerability with a patch available (Pollock, 2022b, p. 1; McGee, 2022)
Lessons learned:
5 months before the breach, the Medical Review Institute of America (MRIoA) achieved HITRUST CSF Certification (Maloney, 2021). This was broadcasted on a press release on MRIoA’s website, and MRIoA positioned itself as an “elite group of organizations worldwide” (Maloney, 2021). Thus, even a HITRUST CSF certification may not be enough for organizations in today’s cyber landscape. Furthermore, MRIoA’s patch management is under question (McGee, 2022). Patch management is a critical component of an organization’s cybersecurity health and resilience. Attackers are actively scanning their public targets on a regular basis and may exploit any vulnerability they find– especially unpatched.
Example patch management solutions:
ManageEngine Patch Manager Plus: https://www.manageengine.com/patch-management/
Automox Cloud Patch Management: https://www.automox.com/features/cloud-patch-management
Additionally, regular vulnerability assessments are integral to a robust patch management program. Organizations should be regularly scanning both their internal and public assets to ensure vulnerabilities are not present.
Example vulnerability assessment tools:
Tenable Nessus: https://www.tenable.com/products/nessus
Greenborne OpenVAS (open source): https://openvas.org/
Web Application:
Burp Suite Enterprise Edition: https://portswigger.net/burp/enterprise
Acunetix: https://www.acunetix.com/
MRIoA has listed many remediation efforts it has undertaken in response to the breach, including:
- “Constant monitoring of its systems with advanced threat hunting and detection software;
- Adding additional authentication protections when attempting to access the systems;
- New servers built from the ground up to ensure all threat remnants were removed;
- Working with external third-party cybersecurity experts to assist in their security efforts;
- Deploying a hardened and new backup environment;
- Enhancing its employee cybersecurity training; and
- Reviewing, revising, and amending its existing cybersecurity policies as necessary.” (Pollock, 2022b, p. 2)
Additionally, third-party liability is highlighted as during litigation, it was discovered that Blue Cross and Blue Shield of Illinois (BSBSIL) was sued for contracting with MRIoA and providing PHI and PII (Dean v. Medical Review Institute of America, LLC et al, 2022, p. 1). Furthermore, 31 different clients of MRIoA were identified in a list on MRIoA’s Maine OAG breach report (Pollock, 2022b, p. 10).
Finally, potentially paying for data deletion may not change outcomes such as mass litigation. At one point, it appeared MRIoA had one of their cases favorably dismissed, likely due to the data deletion, but this still did not change the $2.6 million settlement or other lawsuits (Hawkins, 2022). This also brings to attention a dilemma organizations have when faced with a ransom or double extortion attempt in a ransomware attack: do they pay the ransom or refuse it? Here, I cannot make a recommendation for every organization as the U.S. government discourages ransom payments (Kapko, 2022). However, every interest must be weighed, including the breach victims, society, and the criminal ransomware/extortion groups. PHI is proving a lucrative extortion vector as it contains the most sensitive and intimate information available about a person. Prevention is the best strategy, but also having a good cyber insurance policy and resilience plan (such as what is specified in NIST SP 800-160 Vol. 2 Rev. 1) are critical components as well.
Sources:
Alder, S. (2022, January 18). Patient Data Stolen in Cyberattack on the Medical Review Institute of America. HIPAA Journal. Retrieved May 2, 2023, from https://www.hipaajournal.com/patient-data-stolen-in-cyberattack-on-the-medical-review-institute-of-america/
Dean v. Medical Review Institute of America, LLC et al, Case No. 1:22-cv-00619 (N.D. Ill. 2022). https://www.classaction.org/media/dean-v-medical-review-institute-of-america-llc-et-al.pdf
Hawkins, S. (2022, June 24). Medical Review Institute of America Dodges Data Breach Claims. Bloomberg Law. Retrieved May 2, 2023, from https://news.bloomberglaw.com/privacy-and-data-security/medical-review-institute-of-america-dodges-data-breach-claims
HHS. (2022). Cases Currently Under Investigation. In Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information. U.S. Department of Health and Human Services Office for Civil Rights. Retrieved May 2, 2023, from https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
IN RE MEDICAL REVIEW INSTITUTE OF AMERICA, LLC, DATA BREACH LITIGATION, CIVIL NO. 2:22cv0082-DAK-DAO (D.C. Utah 2023). https://www.mriasettlement.com/wp-content/uploads/2023/04/SETTLEMENT-AGREEMENT-AND-RELEASE.pdf
Kapko, M. (2022, September 19). US government rejects ransom payment ban to spur disclosure. Cybersecurity Dive. https://www.cybersecuritydive.com/news/government-ransomware-guidance/632136/
Maloney, D. (2021). Medical Review Institute of America (MRIoA) Achieves HITRUST CSF® Certification to Manage Risk, Improve Security Posture, and Meet Compliance Requirements. MRIoA. https://www.mrioa.com/medical-review-institute-of-america-mrioa-achieves-hitrust-csf-certification-to-manage-risk-improve-security-posture-and-meet-compliance-requirements/
McGee, M. K. (2022, January 11). Vendor: Data Breach Involved Security Product Vulnerability. GovInfoSecurity. Retrieved May 2, 2023, from https://www.govinfosecurity.com/vendor-data-breach-involved-security-product-vulnerability-a-18290
MRIoA (healthitdirectory.com). (2016, November). Medical-Review-Institute-of-America-MRIoA.jpg. healthitdirectory.com. https://healthitdirectory.com/wp-content/uploads/2016/11/Medical-Review-Institute-of-America-MRIoA.jpg
Pollock, S. (2022a). Data Breach Notifications. In Privacy, Identity Theft and Data Security Breaches. Office of the Maine Attorney General. Retrieved May 2, 2023, from https://apps.web.maine.gov/online/aeviewer/ME/40/8de68304-84d8-4c9c-bf36-c2de1b461e70.shtml
Pollock, S. (2022b). Re: Security Breach Notification. In Data Breach Notifications. Office of the Maine Attorney General. Retrieved May 2, 2023, from https://apps.web.maine.gov/online/aeviewer/ME/40/8de68304-84d8-4c9c-bf36-c2de1b461e70/f95dfcd5-29d2-4181-9407-abcad8a2f5ec/document.html
