Cyber Incident Victim: AltaMed Health Services Corporation
Date:
May 2018
Location:
United States of America
Summary
A healthcare provider experienced a data breach involving unauthorized access to patient information held by its third-party vendor, Sharecare Health Data Services. The incident stemmed from a compromise of the vendor's network, potentially exposing patient names, addresses, dates of birth, unique identification numbers, medical facilities visited, medical record numbers, and internal processing notes. The affected organization confirmed its own systems were not compromised and notified impacted individuals, offering complimentary credit monitoring and identity protection services through a dedicated call center. While no misuse of information was identified at the time of disclosure, the provider emphasized its commitment to patient data security and regret over the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
AltaMed Health Services Corporation experienced a data security incident involving its business associate, Sharecare Health Data Services (SHDS), which managed patient information on AltaMed's behalf. SHDS first detected abnormal activity within its network on June 22, 2018, and later determined that an unauthorized third party had gained access to the network as early as May 21, 2018. The investigation revealed the attacker accessed or acquired files containing AltaMed patient data, including names, addresses, dates of birth, unique identification numbers, facility names where health services were provided, medical record numbers, and internal SHDS processing notes. SHDS formally notified AltaMed of the breach on December 31, 2018, confirming the incident originated within SHDS systems and did not result from any action or inaction by AltaMed. AltaMed's own digital environment remained uncompromised throughout the event.
Upon receiving notification from SHDS, AltaMed initiated efforts to identify affected patients and notify regulatory authorities. The organization mailed notification letters to 5,767 California residents on February 15, 2019, describing the incident's scope and offering protective measures. While the total number of impacted individuals outside California remains unspecified, all notified parties received information about complimentary credit monitoring and identity protection services through AllClear ID. SHDS established a dedicated toll-free call center (1-877-676-0379) to address patient inquiries and concerns. Neither SHDS nor AltaMed had evidence of actual misuse of the compromised data at the time of notification. The California Physicians Service, operating as Blue Shield of California, separately notified regulators after being informed by SHDS, though the relationship between their affected patients and AltaMed's remains unclear from available information. AltaMed emphasized patient privacy as a priority while distancing its systems from the breach causation.