On April 29, 2022, Salusive Health, doing business as myNurse, alerted patients of a cyberattack – and that it was closing its doors. The cyberattack in question allowed unauthorized access to patient data, although there is no evidence that the information has been shared, posted, or misused.
Details of the Salusive Health Breach
According to the breach notice received by patients affected by the Salusive Health breach, the incident was discovered on March 7, 2022. Upon discovery, they immediately took action to terminate the unauthorized activity, secure their systems, and recover their data.
They also retained a forensic investigator to determine what information was impacted by the cyberattack. The investigation uncovered that the incident started on March 3, 2022, and that patient protected health information (PHI) was compromised in the attack.
The types of PHI involved included demographic information (i.e., first and last name, gender, home address, phone number, email address, and date of birth); clinical information (i.e., medical history/diagnosis/treatment, dates of service, lab test results, prescription information, provider name, medical account number, or anything similar in a medical file and/or record); and financial information (i.e., health insurance policy and group plan number, group plan provider, claim information), and a single individual’s Social Security Number.
Affected patients have been advised to freeze their credit and have been offered free identity theft protection.
In response to the breach, Salusive Health has also implemented additional security measures to prevent similar incidents from occurring in the future. They have also reported the incident to the FBI, which is working to identify responsible parties.
What Else Do We Know?
Although seemingly unrelated (as per its notice), Salusive Health has decided to cease clinical operations on May 31, 2022. In the breach notice to patients, Salusive Health states, “Salusive (myNurse) made the difficult decision to cease clinical operations by end of business Tuesday, May 31. This will allow for an orderly hand off of chronic care management and remote patient monitoring services back to your primary care physician. This development is unrelated to the data security incident we experienced and does not affect the care you receive from your medical professional.”
Even if the breach was not why Salusive Health chose to end its clinical operations, it wouldn’t be surprising if it was a contributing factor.
The repercussions of a healthcare breach can be widespread and are generally extremely costly to deal with. After a breach, healthcare organizations are required to notify affected patients, conduct forensic investigations, and deploy additional security measures – all of which come at a cost. In the past, the cost of patient breach notification alone has caused a business to file for bankruptcy.
How do you prevent a breach from costing you your business? Well, implementing an effective HIPAA compliance program is a good start. A large part of HIPAA compliance is implementing security measures to prevent unauthorized access to PHI, making breaches less likely to occur. While there are other contributing factors to breach prevention, HIPAA can serve as a guide to bolstering cybersecurity best practices.
