Cyber Incident Victim: AllyAlign Health
Date:
Nov 2020
Location:
United States of America
Summary
A ransomware attack targeted a Medicare Advantage plan administrator, potentially compromising data of 76,348 members and providers. The incident was detected one day after the attack, with the organization confirming no evidence of specific data misuse but acknowledging possible exposure of sensitive information. Affected individuals faced potential risks including names, addresses, Social Security numbers, Medicare identifiers, medical claims history, and health insurance details, though the entity did not specify which data elements it maintained per individual. Providers were separately notified about potential exposure of credentialing information and Social Security numbers. Credit monitoring services were offered to those impacted. Federal health authorities later reported a subset of 33,932 affected health plan members, with the discrepancy likely representing provider notifications.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On November 13, 2020, AllyAlign Health (AAH), a Medicare Advantage special needs plan administrator, experienced a ransomware attack targeting its network. The attack was detected the following day, November 14, though AAH formally considered the incident "discovered" on February 2, 2020. AAH initiated notifications to 76,348 individuals, comprising health plan members and healthcare providers, regarding the potential compromise of their protected information. In notification letters signed by David Crocker, AAH’s Chief Information Officer, the organization stated its investigation found no direct evidence that threat actors specifically accessed or acquired personal data for misuse. However, AAH acknowledged the network compromise created exposure risks and advised recipients that certain information maintained by AAH could have been accessible to unauthorized third parties during the incident.
The notifications differentiated between impacted members and providers regarding the types of data potentially exposed. Members were informed that the following data, if held by AAH, might have been exposed: full name, mailing address, date of birth, Social Security number, Medicare Health Insurance Claim Number (HICN), Medicare Beneficiary Identifier (MBI), Medicaid recipient identification number, medical claims history, health insurance policy number, and other medical information. Providers received a separate notification listing potential exposure of their full name, mailing address, date of birth, Social Security number, and Council for Affordable Quality Healthcare (CAQH) credentialing information. AAH did not specify in either notification whether individual recipients actually had the referenced data elements on file, stating only that exposure was possible "if" AAH maintained such data. AAH offered affected individuals credit monitoring and identity theft protection services through IDX. The incident was reported to the U.S. Department of Health and Human Services (HHS), appearing on its breach portal as impacting 33,932 individuals, with the discrepancy between this figure and the 76,348 notifications likely representing the number of notified providers. AAH did not respond to media inquiries about the incident prior to initial reporting deadlines.