A ransomware hack of Morley Companies Inc. resulted in the possible compromise of the personal data of at least 521,046 individuals.
The provider of business process outsourcing and meeting solutions to dozens of Fortune 500 companies revealed the ransomware hacking incident in a filing with the Office of the Maine Attorney General and a post on their website.
Details of Morley Companies Ransomware Hack
According to the filings with the state of Maine and the statement on their website, the Morley Companies hack began on July 20, 2021. After company data became unavailable on August 1, 2021, the company took steps to secure its network and started an investigation of the incident.
With the assistance of outside cybersecurity experts, Morley discovered on January 26, 2022, additional data may have been compromised. According to the company statement, “The following personal and protected health information may have been involved in the incident: name, address, Social Security number, date of birth, client identification number, medical diagnostic and treatment information, and health insurance information.”
The potentially compromised information is considered electronically protected health information (ePHI) as defined by the Health Insurance Portability and Accountability Act (HIPAA).
Response to Morley Companies Ransomware Hack
Notification by mail to affected individuals concerning the details of the Morley Companies hack began on February 1, 2022. HIPAA regulations require breach notifications to those impacted by a data breach within 60 days of its discovery.
HIPAA Breach Notification requirements also require that breaches affecting 500 or more individuals be reported to media outlets and the Secretary of Health and Human Services within 60 days of discovery. At press time, the incident had not been listed on the HHS Office for Civil Rights Breach Portal (a.k.a. the HIPAA Wall of Shame).
Takeaways from Morley Companies Ransomware Hack
Based upon the information provided, it is likely that the company was acting as a business associate providing services to a covered entity or another business associate when the Morley Companies hack took place.
In either case, a signed business associate agreement (BAA) is required between organizations whenever protected health information (PHI) or ePHI is transmitted, stored, or used.
Failure to have a signed BAA in place violates HIPAA regulations and can result in substantial fines.
