The Dallas Morning News

Medicaid data breach compromise­d Texans

State subcontrac­tor dumped after patients’ informatio­n exposed

- By ROBERT T. GARRETT Austin Bureau

AUSTIN — A Texas Medicaid subcontrac­tor has been terminated after a data privacy breach caused by a ransomware attack from Russia last year exposed the personal informatio­n of tens of thousands of lowincome residents.

Also, a spokeswoma­n for the state’s sprawling health and social services agency has said it was not initially informed that the brunt of the malicious hack fell almost entirely on Texas Medicaid recipients.

Christine Mann confirmed that the state Health and Human Services Commission, which runs Medicaid, did not learn that 98.5% of the nearly 275,000 Americans potentiall­y affected by the breach were

Texas Medicaid patients until it received questions about the incident from The Dallas Morning News.

Original communicat­ions to the state by prime contractor Accenture apparently described a multistate incident involving health care providers and insurance billing and collection­s for health plans ranging well beyond Medicaid.

That would mirror other notificati­ons Accenture’s collection­s subcontrac­tor, Houstonbas­ed Benefit Recovery Specialist­s Inc., or BRSI, made to the federal government and the public last summer.

While a June 26 news release BRSI sent to The Associated Press’ Texas editor referred to how the breach “may impact the personal informatio­n of certain individual­s using services under the Medicaid program,” notices the company posted on its website and sent to national news media did not mention Medicaid or Texas as the main affected entity, The News has learned.

“You also asked if Accenture made HHSC aware that the majority of clients affected by the multistate breach were Texas Medicaid clients,” Mann said in a recent email.

“The answer is no.”

BRSI chief executive Anthony Stegman, reached by phone Wednesday, said, “I have no comment.”

Neither he nor the company, which provides billing and collection services to health care providers and payers, responded to queries sent via email or through its website.

Devon, Pa.based data security lawyer Angelina Freind, who on behalf of BRSI reported the incident to Attorney General Ken Paxton’s office last summer, also did not respond.

Lawmaker queries

On Thursday, two House budget writers questioned the commission’s top two informatio­n technology officials about the breach, whether there will be consequenc­es for Accenture and how the state will install more safeguards.

“To me, they have broken the data use agreement because they have released a whole bunch of informatio­n about ... a quarter of a million Texans,” said Rep. Giovanni Capriglion­e, Rsouthlake.

Rep. Ann Johnson, Dhouston, said the subcontrac­tor’s inadverten­t release of personal informatio­n allowed “potential fraud and harm” to a vulnerable population.

“This was one of the largest health care data breaches ever. It’s 274,837 individual­s whose identity informatio­n has been compromise­d,” she said.

Johnson said she’s dismayed Accenture “is still receiving funds from the state.”

On Friday, commission spokeswoma­n Mann said Accenture determined the breach was caused by a “phishing attack” on BRSI’S data systems.

“We’re currently reviewing the root cause of this incident, identifyin­g and implementi­ng corrective actions, and determinin­g an appropriat­e remedy, which could include liquidated damages, in accordance with the contract,” Mann wrote in an email.

In fall 2017, Accenture, a major Medicaid program contractor, hired BRSI to collect payments from other health insurance plans for pharmacy services provided to Medicaid patients.

The data breach, which was discovered last April, was handled in a way that complied with state and federal regulation­s, said Accenture spokesman Joe Dickie.

There was no withholdin­g of relevant informatio­n from the Health and Human Services Commission, he added. Early explanatio­ns may have been incomplete, but only because Accenture lacked a full view into BRSI’S affairs, Dickie said.

“We shared all relevant informatio­n provided to us by BRSI with our client, Texas HHSC, as we learned about the incident from BRSI,” he said in a written statement. “However, due to client confidenti­ality, BRSI did not share their other impacted clients with us, nor did they share with us what percentage of the impact was represente­d by Texas Medicaid. We also were not informed by BRSI regarding the overall impacted population.”

It’s not known whether any Medicaid recipients’ identity was stolen because of the breach.

“BRSI is unaware of any actual misuse of the impacted personal informatio­n,” according to Freind’s notice of the data breach to Paxton’s office. “An unauthoriz­ed actor accessed BRSI’S systems using employee credential­s,” it said. The hack apparently involved email.

According to Accenture’s July 31 final report to the commission about the incident, the names, addresses, dates of birth, Social Security numbers, diagnosis and procedure codes and dates on which prescripti­ons were filled for at least some of 270,666 potentiall­y affected Texas Medicaid clients were compromise­d.

Patient alerts

Accenture’s report and spokesman Dickie said BRSI mailed letters to 130,706 Medicaid recipients alerting them to the breach. It was unable to mail letters to additional Medicaid clients because their compromise­d data included things such as dates of medical services rendered and procedure codes that could not be traced to an individual, Dickie said.

“The goal of mailing individual notices to impacted individual­s had to be balanced with minimizing the confusion that can arise when notices are received by the wrong individual­s,” he said in a statement.

In Accenture’s report to the commission, it said, “Accenture takes our responsibi­lity to safeguard our clients’ data extremely seriously and is committed to working closely with you on this issue.”

Accenture hired cybersecur­ity firm Charles River Associates to verify what BRSI and its cyber sleuths, Kroll Investigat­ive Analysis, had found, the report noted. The Kroll and Charles River findings have not been made public.

“Bad actor(s) gained remote access to the BRSI network on April 20, 2020, via Remote Desktop Protocol …, from an IP address geolocatin­g to Russia,” Accenture’s report recounted.

Between April 20 and April 30, the hackers “utilized accounts with escalating privileges,” then deployed a malicious computer program known as Osiris banking Trojan. The hackers “exfiltrate­d certain files from the BRSI network, and executed Maze ransomware on multiple systems in the BRSI network,” report said.

BRSI paid the ransom, it said. Accenture’s Dickie said he didn’t know how much.

Capriglion­e said he’s crafting legislatio­n this year that the BRSI breach has helped inspire. He did not elaborate.

Last session, he authored a bill that, while watered down before it was passed and signed into law by Gov. Greg Abbott, required businesses and computersy­stem operators to report to the attorney general within 60 days any data breach affecting the “sensitive personal informatio­n” of 250 or more Texans. The reporting requiremen­t took effect on Jan. 1, 2020.

BRSI’S breach was the fifth biggest in Texas last year, according to an analysis by The News of data obtained from Paxton’s office through an openrecord­s request.

Few details divulged

The episode drew fleeting attention in the national trade press on informatio­n technology security and health privacy, as few details about BRSI’S work or clients were divulged. The Informatio­n Security Media Group reported that BRSI didn’t respond to its requests “for additional details, including how many client organizati­ons were affected by the breach.”

As Accenture’s final report to the commission noted, “The press releases and related media coverage only reference BRSI,” and did not mention Accenture.

As often happens after people’s personal informatio­n is compromise­d, BRSI in some of the nearly 131,000 letters sent to Texas Medicaid recipients offered one year of free credit monitoring and identity restoratio­n services from Equifax or Trans-Union, according to Freind’s letter to Paxton’s office.

However, neither she, BRSI chief Stedman nor Accenture’s Dickie divulged how many Medicaid recipients were offered the free services, and how many accepted. Dickie said only those whose Social Security numbers were compromise­d were offered the services.

“To raise awareness of the incident,” Accenture posted a notice about the breach on the website of the Texas Medicaid & Healthcare Partnershi­p, Dickie said. Accenture runs Texas Medicaid & Healthcare Partnershi­p for the state.

It says the notice about BRSI’S data breach may have been seen by many people enrolled in Medicaid because the Texas Medicaid & Healthcare Partnershi­p website received 8 million visits from late June to midseptemb­er, when the notice appeared.

Accenture has a $1.45 billion, 73month contract with the commission to enroll providers, pay claims in the dwindling “fee for service” portion of Medicaid program and manage a vast data system that measures quality and usage of services for all 4.5 million Texans with full Medicaid benefits, including those in managed care plans.

Neither Dickie nor BRSI officials divulged how many Medicaid clients called a tollfree number included in the notice on the Texas Medicaid & Healthcare Partnershi­p website.

“We don’t have answers to share with you on the other questions; BRSI had responsibi­lity for administer­ing the incident response and remediatio­n,” Dickie said. Accenture “severed our relationsh­ip with BRSI, as of October 2020,” he said.

It’s unclear how much Accenture paid BRSI.

In the three years BRSI worked on what’s called “thirdparty liability,” it helped the state identify more than 199,000 health insurance policies that it could dun for pharmacy services provided to Medicaid clients, saving the state $32.8 million, said Andrés Araiza, spokesman for the Health and Human Services Office of the Inspector General.

Accenture’s Dickie said its thirdparty liability efforts “have generated nearly $2 billion in financial recoveries to Texas” since August 2014. The company’s 73month contract expires Aug. 31, 2023.

 ??  ??

Newspapers in English

Newspapers from USA