Cyber Incident Victim: Administrative Advantage

On or around June 23, 2020, an unauthorized individual or group gained access to a single employee email account at Administrative Advantage (AA), a Georgia-based company providing billing support services to healthcare providers. The unauthorized access persisted until July 9, 2020. AA detected unusual activity in the compromised email account in July 2020 and immediately initiated an investigation. With assistance from third-party cybersecurity specialists, AA confirmed on August 18, 2020, that the account had been breached during the specified timeframe. The investigation could not definitively rule out unauthorized access to information within the account, prompting a comprehensive review of its contents to identify potentially exposed sensitive data.

The review revealed that the email account contained protected health information and personal data belonging to patients of AA's healthcare provider clients, including Remedy Medical Group, a California-based pain management practice. While the specific data elements varied per individual, they included names, Social Security numbers, financial account information, driver's license/state ID numbers, payment card details with CVV codes, dates of birth, passport numbers, electronic signatures, medical record numbers, Medicare/Medicaid identifiers, treatment details, diagnoses, health insurance information, lab results, and other medical treatment data. AA stated it had no evidence of actual or attempted misuse of this information as of April 2021. The company notified affected individuals on behalf of Remedy Medical Group and indicated multiple healthcare providers were potentially impacted, though Remedy was the only named client. Notifications were issued in an abundance of caution due to the inability to confirm whether attackers exfiltrated or viewed specific records during the 17-day access period.