Cyber Incident Victim: Benefit Recovery Specialists, Inc.
Date:
Jun 2020
Location:
United States of America
Summary
A Texas Medicaid subcontractor, Benefit Recovery Specialists, suffered a ransomware attack originating from Russia that exposed personal information of tens of thousands of low-income residents, primarily Medicaid patients. The breach was not fully disclosed to the state by the subcontractor or its prime contractor, Accenture, which initially characterized it as a broader multi-state incident impacting healthcare providers and insurance billing beyond Medicaid. The state learned the true scope affecting Medicaid patients only after media inquiries. The subcontractor was subsequently terminated and reported the incident to federal authorities as impacting over 274,000 individuals.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early 2020, Houston-based subcontractor Benefit Recovery Specialists Inc. (BRSI), working under prime contractor Accenture for Texas Medicaid services, suffered a ransomware attack attributed to actors in Russia. The Maze ransomware operation compromised systems containing sensitive personal information of tens of thousands of low-income Texas Medicaid patients. BRSI and Accenture initially provided incomplete or inaccurate disclosures to the state of Texas, characterizing the incident as a multi-state breach affecting broader healthcare providers and insurance billing systems beyond Medicaid. The full impact on Texas Medicaid beneficiaries remained undisclosed until the Dallas Morning News contacted state officials with questions about the breach in June 2020, prompting further investigation. BRSI formally reported the incident to the U.S. Department of Health and Human Services (HHS) on June 26, 2020, disclosing that 274,837 individuals were affected. The breach timeline indicates the ransomware attack occurred months prior to the summer disclosures, with data exposure involving patient information used for collections and billing operations.
The Texas Health and Human Services Commission terminated BRSI’s subcontract following revelations that Medicaid patients constituted the primary victim group, contradicting earlier assurances. Public exposure of the incident’s scope through media inquiries revealed failures in timely and transparent breach notification protocols between the subcontractor, prime contractor, and state agencies. No specifics regarding data recovery, ransom payments, or technical containment measures were disclosed in available reports. Consequences included unauthorized access to Medicaid patient data and operational disruptions leading to BRSI’s removal from state contracts. The incident highlighted supply chain vulnerabilities in Medicaid administration, particularly regarding subcontractor oversight and incident reporting compliance.