Benefit Recovery Specialists, Inc.

Benefit Recovery Specialists, Inc., also known as BRS, Inc., operated as a Texas-based billing and collection company with a specific focus on healthcare services. The organization's core function involved providing billing and collection services, primarily as a subcontractor for the Texas Medicaid program. This role placed it within the healthcare financial administration sector, handling the sensitive financial and personal data of low-income residents and Medicaid patients. Its client base extended to various healthcare providers and payers, for whom it managed the complex process of claims submission, payment tracking, and debt recovery. The company's work inherently required access to a significant volume of protected health information and personally identifiable data, including names, dates of birth, healthcare provider details, policy identifiers, and Social Security numbers, making it a custodian of highly sensitive information within the state's Medicaid ecosystem.

The company's operational scale and market reach, while not quantified in terms of revenue or employee count, are evidenced by the magnitude of data it handled. A ransomware attack in April 2020 and a subsequent, related incident reported in June 2020 compromised the personal information of approximately 275,000 individuals. This figure indicates the organization processed data for a substantial portion of the Texas Medicaid population or its associated provider networks. A notable structural attribute was its position within a contractual hierarchy; it served as a subcontractor to the prime contractor Accenture for Texas Medicaid work. This relationship became a critical factor in the breach disclosure process, as initial communications to the state from both BRS and Accenture allegedly mischaracterized the incident's scope. Following the attacks and the ensuing investigation into the delayed and incomplete disclosure, the subcontractor relationship was terminated. The breaches, attributed to a Russian-origin ransomware group, exposed systemic vulnerabilities in its data security protocols and highlighted the risks associated with third-party handling of public health program data. The company ultimately reported the incident to federal authorities as affecting over 274,000 individuals, fulfilling regulatory obligations but after significant delay and only following external media pressure.