AUSTIN — A Texas Medicaid subcontractor has been terminated after a data-privacy breach caused by a ransomware attack from Russia last year exposed the personal information of tens of thousands of low-income residents.
Also, a spokeswoman for the state’s sprawling health and social services agency has said it was not initially informed that the brunt of the malicious hack fell almost entirely on Texas Medicaid recipients.
Christine Mann confirmed that the state Health and Human Services Commission, which runs Medicaid, did not learn that 98.5% of the nearly 275,000 Americans potentially affected by the breach were Texas Medicaid patients until it received questions about the incident from The Dallas Morning News.
Original communications to the state by prime contractor Accenture apparently described a multi-state incident involving health care providers and insurance billing and collections for health plans ranging well beyond Medicaid.
That would mirror other notifications Accenture’s collections subcontractor, Houston-based Benefit Recovery Specialists Inc. or BRSI, made to the federal government and the public last summer.
While a June 26 news release BRSI sent to The Associated Press’ Texas editor referred to how the breach “may impact the personal information of certain individuals using services under the Medicaid program,” notices the company posted on its website and sent to national news media did not mention Medicaid or Texas as the main affected entity, The News has learned.
“You also asked if Accenture made HHSC aware that the majority of clients affected by the multi-state breach were Texas Medicaid clients,” the commission’s Mann said in a recent email.
“The answer is no.”
BRSI chief executive Anthony Stegman, reached by phone Wednesday, said, “I have no comment.”
Neither he nor the company, which provides billing and collection services to health care providers and payors, responded to queries sent via email or through its website.
Devon, Pa.-based data security lawyer Angelina Friend, who on behalf of BRSI reported the incident to Attorney General Ken Paxton’s office last summer, also did not respond.
On Thursday, two House budget writers questioned the commission’s top two information technology officials about the breach, whether there will be consequences for Accenture and how the state will install more safeguards.
“To me, they have broken the data use agreement because they have released a whole bunch of information about … a quarter of a million Texans,” said Rep. Giovanni Capriglione, R-Southlake.
Rep. Ann Johnson, D-Houston, said the subcontractor’s inadvertent release of personal information allowed “potential fraud and harm” to a vulnerable population.
“This was one of the largest health care data breaches ever. It’s 274,837 individuals whose identity information has been compromised,” she said. Johnson said she’s dismayed Accenture “is still receiving funds from the state.”
On Friday, commission spokeswoman Mann said Accenture determined the breach was caused by a “phishing attack” on BRSI’s data systems.
“We’re currently reviewing the root cause of this incident, identifying and implementing corrective actions, and determining an appropriate remedy, which could include liquidated damages, in accordance with the contract,” Mann wrote in an email.
In fall 2017, Accenture, a major Medicaid program contractor, hired BRSI to collect payments from other health insurance plans for pharmacy services provided to Medicaid patients.
The data breach, which was discovered last April, was handled in a way that complied with state and federal regulations, said Accenture spokesman Joe Dickie. There was no withholding of relevant information from the Health and Human Services Commission, he added. Early explanations may have been incomplete, but only because Accenture lacked a full view into BRSI’s affairs, Dickie said.
“We shared all relevant information provided to us by BRSI with our client, Texas HHSC, as we learned about the incident from BRSI,” he said in a written statement. “However, due to client confidentiality, BRSI did not share their other impacted clients with us, nor did they share with us what percentage of the impact was represented by Texas Medicaid. We also were not informed by BRSI regarding the overall impacted population.”
It’s not known whether any Medicaid recipients’ identity was stolen because of the breach.
“BRSI is unaware of any actual misuse of the impacted personal information,” according to Freind’s notice of the data breach to Paxton’s office. “An unauthorized actor accessed BRSI’s system’s using employee credentials,” it said. The hack apparently involved email.
According to Accenture’s July 31 final report to the commission about the incident, the names, addresses, dates of birth, Social Security numbers, diagnosis and procedure codes and dates on which prescriptions were filled for at least some of 270,666 potentially affected Texas Medicaid clients were compromised.
Accenture’s report and spokesman Dickie said BRSI mailed letters to 130,706 Medicaid recipients alerting them to the breach. It was unable to mail letters to additional Medicaid clients because their compromised data included things such as dates of medical services rendered and procedure codes that could not be traced to an individual, Dickie said.
“The goal of mailing individual notices to impacted individuals had to be balanced with minimizing the confusion that can arise when notices are received by the wrong individuals,” he said in a statement. In Accenture’s report to the commission, it said, “Accenture takes our responsibility to safeguard our clients’ data extremely seriously and is committed to working closely with you on this issue.”
Accenture hired cybersecurity firm Charles River Associates to verify what BRSI and its cyber sleuths, Kroll Investigative Analysis, had found, the report noted. The Kroll and Charles River findings have not been made public.
“Bad actor(s) gained remote access to the BRSI network on April 20, 2020, via Remote Desktop Protocol …, from an IP address geolocating to Russia,” Accenture’s report recounted.
Between April 20 and April 30, the hackers “utilized accounts with escalating privileges,” then deployed a malicious computer program known as Osiris banking Trojan. The hackers “exfiltrated certain files from the BRSI network, and executed Maze ransomware on multiple systems in the BRSI network,” report said.
BRSI paid the ransom, it said. Accenture’s Dickie said he didn’t know how much.
Capriglione said he’s crafting legislation this year that the BRSI breach has helped inspire. He did not elaborate.
Last session, he authored a bill that, while watered down before it was passed and signed into law by Gov. Greg Abbott, required businesses and computer-system operators to report to the attorney general with 60 days any data breach affecting the “sensitive personal information” of 250 or more Texans. The reporting requirement took effect on Jan. 1, 2020
BRSI’s breach was the fifth biggest in Texas last year, according to an analysis by The News of data obtained from Paxton’s office through an open-records request.
The episode drew fleeting attention in the national trade press on information technology security and health privacy, as few details about BRSI’s work or clients were divulged. The Information Security Media Group reported that BRSI didn’t respond to its requests “for additional details, including how many client organizations were affected by the breach.”
As Accenture’s final report to the commission noted, “The press releases and related media coverage only reference BRSI,” and did not mention Accenture.
As often happens after people’s personal information is compromised, BRSI in some of the nearly 131,000 letters sent to Texas Medicaid recipients offered one year of free credit monitoring and identity restoration services from Equifax or TransUnion, according to Freind’s letter to Paxton’s office.
However, neither she, BRSI chief Stedman nor Accenture’s Dickie divulged how many Medicaid recipients were offered the free services, and how many accepted. Dickie said only those whose Social Security numbers were compromised were offered the services.
“To raise awareness of the incident,” Accenture posted a notice about the breach on the website of the Texas Medicaid & Healthcare Partnership, or TMHP, Dickie said. Accenture and vendor drug program contractor Conduent run TMHP for the state. Accenture has a $1.45 billion, 73-month contract with the commission to enroll providers, pay claims in the dwindling “fee for service” portion of Medicaid program and manage a vast data system that measures quality and usage of services for all 4.5 million Texans with full Medicaid benefits.
Neither Dickie nor BRSI officials divulged how many Medicaid clients called a toll-free number included in the notice on the TMHP website.
“We don’t have answers to share with you on the other questions; BRSI had responsibility for administering the incident response and remediation,” Dickie said. Accenture “severed our relationship with BRSI, as of October 2020,” he said.
It’s unclear how much Accenture paid BRSI.
In the three years BRSI worked on what’s called “third-party liability,” it helped the state identify more than 199,000 health insurance policies that it could dun for pharmacy services provided to Medicaid clients, saving the state $32.8 million, said Andrés Araiza, spokesman for the Health and Human Services Office of the Inspector General.
Accenture’s 73-month contract expires Aug. 31, 2023.
Top 10 data breaches in Texas, 2020
Here are the 10 largest hacks of personal information on Texas last year, as reported to the state attorney general’s office under a law passed in 2019.
The law requires “a detailed description of the nature and circumstances of the breach.”
Listed are the business or other entities that suffered breaches, how many people could have been affected and the type of breach, as determined from news reports and/or a spreadsheet compiled by the attorney general’s office:
Vertafore Inc., 27.6 million Texans affected, insurance software had driver license information
Morgan Stanley, 765,247, type of breach listed as “other” at network server
Zoetop Business Co. Ltd., 636,608, external system breach at network server
Hendrick Health, Abilene, 593,636, external system breach at network server
BRSI, 270,666, external system breach through employee email
Direct Energy LP, through third party vendor Kitewheel LLC, 209,000, external system breach at network server
Seton Foundations, 158,086, external system breach at network server
MEDNAX Services Inc., 140,649, external system breach at email
Austin Independent School District, 106,761, external system breach at “other”
Fort Worth Community Credit Union, 83,924, external system breach at network server
SOURCE: Office of Attorney General; Dallas Morning News research