The medical billing records of nearly 1 million Central New York patients may have been obtained by hackers.
Practice Resources LLC, a company that provides billing services for dozens of hospitals and medical providers, said hackers may have obtained names, home address, dates of treatment and internal account numbers of more than 924,000 patients.
No private medical information, credit card numbers or Social Security numbers were exposed, said David Barletta, chief executive officer of Practice Resources. Practice Resources’ required public notice said there was “no evidence that information was misused as a result of this incident.” The company is providing for free a year of online cybersecurity protection for all affected patients.
Practice Resources bills about $450 million annually for its clients, Barletta said. The data breach affected the records of patients of at least 28 Central New York medical providers, including bedrock institutions like St. Joseph’s, Crouse and Upstate Community hospitals; the Salvation Army; and the sprawling Family Care Medical Group. (See full list below.)
The breach also includes billing records of physical therapists, pediatricians, gynecologists and orthopedic surgeons.
Family Care Medical Group lost all of its laboratory data and had to shut down its lab for months while rebuilding the computer system, said the group’s chief executive officer, Dr. Mitchell Brodey. Lab work was sent to another laboratory in the meantime.
“We just reopened a week ago,” Brodey said.
Family Care is owned by the same doctors group that owns Practice Resources.
The billing company was hit by a ransomware attack in April, and it took months to determine which patient accounts had been accessed. In a ransomware attack, hackers lock down or hide information in a computer system and demand a ransom to release it.
Barletta said he could not say whether Practice Resources paid a ransom to free the data.
“Due to the ongoing investigation, we’re not allowed to discuss that,” he said.
Barletta said Practice Resources hired a forensic team to scout patient data and see what might have been taken.
“There was no evidence that any patient information was accessed, including Social Security numbers,” he said.
Barletta said the state Attorney General’s office is investigating the hacking and whether Practice Resources’ data security was adequate. Wegmans supermarket chain was recently fined $400,000 by the attorney general’s office for lax cloud storage that exposed the data of more than 3 million customers.
The Practice Resources breach happened April 12, but patients are just now receiving letters. Barletta said the forensic investigation was time-consuming, and figuring out which patients’ accounts had been hacked, and contacting each medical practice, took months.
If you haven’t received a letter but think your data might be at risk, you can call 1-866-667-1465, from 8 a.m. to 8 p.m. weekdays.
The Syracuse City School District and Onondaga County Public Library were hit by ransomware attacks in 2019. It took weeks to restore the systems.
Here’s the list of medical providers whose patients’ records might have been affected by the Practice Resources breach:
Achieve Physical Therapy, PC
CNY Obstetrics and Gynecology, P.C.
Community Memorial Hospital, Inc
Crouse Health Hospital, Inc
Crouse Medical Practice PLLC
Family Care Medical Group, PC
Fitness Forum Physical Therapy, PC
FLH Medical PC
Guidone Physical Therapy, PC
Hamilton Orthopedic Surgery & Sports Medicine
Helendale Dermatological and Medical Spa, PLLC
Kudos Medical, PLLC
Laboratory Alliance of Central New York, LLC
Liverpool Physical Therapy, PC
Michael J Paciorek, MD PC
Nephrology Associates of Watertown, PC
Nephrology Hypertension Associates of CNY, PC
Orthopedics East, PC
Soldiers & Sailors Memorial Hospital—Physician Practices
St. Joseph’s Medical
Surgical Care West, PLLC
Syracuse Endoscopy Associates, LLC
Syracuse Gastroenterological Associates, PC
Tully Physical Therapy
Upstate Community Medical, PC
© 2022 Advance Local Media LLC
Distributed by Tribune Content Agency, LLC.