Medical billing firm Medusind discloses breach affecting 360,000 people

January 9, 2025

Medusind

Medusind, a leading billing provider for healthcare organizations, is notifying hundreds of thousands of individuals of a data breach that exposed their personal and health information more than a year ago, in December 2023.

The Miami-based company operates 12 locations across the United States and India, and it also provides revenue cycle management services to over 6,000 healthcare providers, helping them reduce operating costs and maximize revenue.

Medisund says in a data breach notification letter filed with the Office of Maine's Attorney General that it spotted the breach more than one year ago, in December 2023, after detecting suspicious activity on its network.

"Upon discovering the suspicious activity, Medusind took the affected systems offline and hired a leading cybersecurity forensic firm to conduct an investigation," according to the breach notice.

"Through this investigation, we found evidence that a cybercriminal may have obtained a copy of certain files containing your personal information."

In the Maine filing, the company revealed that the December 2023 breach affected the personal and health information of 360,934 individuals.

Documents exposed in the incident contained the following data types, although the impacted information varies by affected individual:

health insurance and billing information (such as insurance policy numbers or claims/benefits information),
payment information (such as debit/credit card numbers or bank account information),
health information (such as medical history, medical record number, or prescription information),
government identification (such as Social Security number, taxpayer ID, driver's license, or passport number),
and other personal information (such as date of birth, email, address, or phone number).

Medusind offers those affected by this data breach two years of free Kroll identity monitoring services, including credit monitoring, fraud consultation, and identity theft restoration.

It also warned them to keep track of their account statements for signs of potential identity theft and fraud attempts and to monitor credit reports for unauthorized or suspicious activity.

These notifications come after the U.S. Department of Health and Human Services (HHS) proposed updates to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in late December 2024 to secure patients' health data following a surge in massive healthcare security breaches and data leaks affecting hospitals and Americans in recent years.

These overhauled cybersecurity rules mandate healthcare organizations to encrypt Americans' protected health information (PHI), implement multifactor authentication wherever possible, and segment networks to make it harder for cybercriminals to move laterally through them.

Ascension, one of the largest private U.S. healthcare systems, recently alerted nearly 5.6 million people that their data was stolen in a May cyberattack claimed by the Black Basta ransomware gang.

In October, UnitedHealth confirmed the most significant healthcare breach in recent years, stemming from a February Change Healthcare ransomware attack that affected over 100 million people.