Metro Presort

Metro Presort operates as a third-party mailing service provider based in the United States, with its core business focused on managing presort and mailing operations for clients in the healthcare sector. The company handles sensitive communications that contain protected health information, including patient names, addresses, and health identification details, acting as a business associate to various healthcare entities. This role positions it within the critical data supply chain of the U.S. healthcare system, where it is responsible for the secure handling of personal health data under regulations such as the Health Insurance Portability and Accountability Act. Its services are specialized for healthcare clients, implying a competency in managing sector-specific compliance and data stewardship requirements. The company's operational footprint is defined by its client base, which includes multiple healthcare organizations that rely on its mailing solutions for patient correspondence.

In early May 2019, Metro Presort experienced two distinct ransomware incidents that significantly impacted its healthcare clients. The first attack, occurring on May 3, involved the Ryuk ransomware and directly compromised data from 21 healthcare entities serviced by the company, leading to the exposure of patient information. The vendor refused to pay the demanded ransom, and a subsequent regulatory investigation initially concluded that no violations of health privacy regulations had occurred before closing the case. A separate but related incident on May 1 targeted a business associate, initially assessed as not compromising protected health information due to pre-existing encryption. However, a later reinvestigation prompted by regulatory scrutiny cast doubt on the encryption's effectiveness, ultimately determining that personal health data of up to 38,387 individuals may have been exposed. Two healthcare clients separately reported breaches linked to this event, affecting over 24,000 combined patients, though the precise relationship between their figures and the business associate's official report remained unclear. Regulatory investigators reversed their initial finding of no violation, later acknowledging the potential for data compromise. These events underscore the vulnerabilities faced by healthcare data processors and the complex, often protracted, nature of breach assessment and regulatory review in this sector.