Between May 30, 2023, and June 2, 2023, VNS Health, a New York-based healthcare entity, experienced a data breach through one of its vendors that may have compromised the personal information of over 100,000 individuals and affected the security of certain VNS members’ personal health information.
Despite being made aware of this breach on June 22, 2023, VNS Health did not file a notice of data breach with the U.S. Department of Health and Human Services Office for Civil Rights until August 14, 2023. It did not send out notifications to affected consumers for weeks thereafter, until almost two months after learning of the breach.
This is not the first time, even this year, that VNS Health has experienced a data breach. In February 2023, VNS Health was notified by another vendor, Independent Living Systems, LLC, of a data event that may have affected the personal information of certain VNS members.
According to Marianna Miyazaki-Grant, Chief Compliance and Privacy Officer of VNS Health. “We monitor potential risk areas. If we identify a potential issue, we report it directly to VNS Health’s Executive Team and our Board of Directors, and investigate the issue appropriately, and implement corrective measures as necessary….The Compliance Department regularly updates our organization’s policies and procedures, Code of Conduct, and provides ongoing training to our employees and contractors.”
Yet now, two of its contractors and one of its primary contractors, TMG Health, Inc., experienced a significant data breach that was not disclosed for months.
While Ms. Grant asserts that “VNS Health is dedicated to ensuring that each of us does the right thing — for our patients and plan members, for their families, and for our community,” these two data breaches have raised concerns about the security of VNS Health’s data systems and the measures the company has actually taken to prevent such incidents from occurring in the future.
Key Takeaways
- VNS Health recently experienced a data breach that may have compromised the personal information of over 100,000 individuals.
- This is not the first time this year a VNS Health vendor has experienced a data breach.
- The incidents have raised concerns about the security of VNS Health’s data systems and the measures the company has taken to prevent such incidents from occurring in the future.
The Data Breach: What Happened
The data breach was caused by a hack of VNS’s vendor, TMG Health, Inc. (a Cognizant Technology Solutions company). The breach occurred between May 30 and June 2, 2023.
During this time, hackers gained access to certain VNS members’ personal health information, including names, addresses, dates of birth, Social Security numbers, medical information, and health insurance information through this contractor.
VNS has confirmed that the data breach did not affect all of its members. However, VNS is not providing details of the event, its response, and the resources available to affected members. VNS has stated that it is working closely with law enforcement and cybersecurity experts to investigate the breach and prevent similar incidents from occurring in the future. The company also claims to have put additional security measures into practice to protect the personal information of its members.
In response to the data breach, VNS has begun sending out data breach notification letters to affected individuals, offering free credit monitoring and identity theft protection services to affected members. VNS is also urging members to review their account statements and credit reports for any unauthorized activity and to report any suspicious activity to the proper authorities.
The Data Compromised
The following types of data may have been affected in the VNS data breach:
- Names
- Social Security numbers
- Addresses
- Dates of birth
- Billing information
- Medical information
The company has offered one year of complimentary credit monitoring and identity theft protection services to those impacted by the breach.
It is unclear whether any employee data was compromised in the breach. VNS Health has provided no information regarding the potential impact on employee data.
Data Breach Notification Process
VNS has notified affected members of the data breach through written communications to over 100,000 members. The notification includes information about the incident, the type of data that was compromised, and steps that members can take to protect themselves. The company has also set up a toll-free number for affected members to call for more information and assistance.
In addition to notifying affected members, VNS has also notified regulatory agencies, including the U.S. Department of Health and Human Services Office for Civil Rights. The company has worked closely with these agencies to make sure all necessary steps are taken to address the data breach.
Implications For VNS Members
The VNS Health data breach has significant implications for individuals whose personal and medical information was compromised. The breach resulted in the unauthorized disclosure of names, Social Security numbers, addresses, dates of birth, billing information, and medical information of certain individuals.
This information could be used for identity theft, financial fraud, or other malicious purposes. Individuals affected by the breach should try to protect themselves by monitoring their credit reports and bank accounts for suspicious activity, changing passwords, and being cautious of unsolicited communications. Members can also take certain measures to protect their personal health information (PHI) in case of a data breach.
Here are a few tips:
- Regularly review your Explanation of Benefits (EOB) statements and medical bills for any services or treatments you did not receive.
- Keep track of your medical appointments, and if you notice any discrepancies in your medical records, report them to your healthcare provider immediately.
- Be cautious when sharing your PHI with anyone, including healthcare providers. Always ask why the information is needed and how it will be used.
- Use strong, unique passwords for your healthcare accounts and change them often.
- Consider freezing your credit to prevent identity theft.
What Else Should VNS Health Do?
To prevent further data breaches, VNS, at a minimum, should take these basic preventive measures:
- Conduct regular security risk assessments of their contractors to identify vulnerabilities in their systems.
- Implement strong access controls to make sure only authorized individuals can access PHI.
- Use encryption to protect PHI both in transit and at rest.
- Train employees on how to identify and report potential security incidents.
- Develop an incident response plan to ensure a quick and effective response in case of a data breach.
- Regularly review and update their privacy and security policies to ensure compliance with HIPAA regulations.
Legal Consequences of the Breach
The VNS Health data breach highlights the importance of implementing strong data security measures to protect sensitive information. Failure to do so can have significant legal and financial consequences for healthcare organizations.
The VNS data breach has potentially exposed the personal information of over 100,000, which could lead to significant legal consequences for the company. Under federal HIPAA regulations, healthcare organizations must implement appropriate safeguards to protect patient information. Failure to do so can result in significant fines and legal penalties.
The Office for Civil Rights is also investigating this breach and may impose fines and other sanctions if VNS Health is found to be in violation of HIPAA regulations.
Class Action Investigation
Victims of the breach may also be entitled to compensation for any damages resulting from the exposure of their personal information.
We are investigating this breach to determine if a class action lawsuit should be filed against VNS on behalf of affected individuals, as well as against TMG Health, the vendor responsible for handling claims processing and administrative tasks for VNS.
Summary
The VNS Health data breach has affected over 100,000 individuals and compromised their personal data, including Social Security numbers and personal medical information. VNS Health has been notifying affected individuals and offering credit monitoring services to those affected.