In a widescale data breach, the personal information of more than a quarter million South Bay patients who rely on the state’s affordable health insurance plan may have been exposed through a San Jose-based Medi-Cal provider hit by a nationwide cyber attack.
Santa Clara Family Health Plan said Monday that the sensitive information of 276,993 members — including names, contact information, dates of birth, member IDs and Medi-Cal credentials — may be compromised.
The incident is part of a larger breach of more than 130 organizations across the country, according to a February report by the cyber security division of the U.S. Department of Health and Human Services. Officials believe a Russia-linked ransomware group dubbed “Clop” may be responsible, though no definitive evidence has come to light, the Health Sector Cybersecurity Coordination Center said.
In response to the latest breach, the San Jose healthcare group is urging its members to be on the alert for evidence of identity theft and financial fraud. Its members are now entitled to a free credit monitoring service for two years.
Established in 1997, health plan serves as Santa Clara County’s local provider for the state’s version of Medicaid to over 320,000 residents. The service offers health insurance plans for low-income Californians at little to no cost in one of the country’s most expensive regions.
The state’s attorney general did not respond to a request for comment. California law requires the attorney general to be notified of any data breach affecting over 500 people.
The attack against the San Jose group was first discovered on Jan. 30 by Fortra, a cybersecurity company that offers a software service to allow SCFHP to securely exchange electronic files with a third-party vendor. That vendor, NationsBenefits, said it learned about the data compromise on Feb. 7.
The health plan was notified on Feb. 22 — and mailed a letter dated April 21 to affected members. Other healthcare companies impacted by the cyberattack had their members’ social security numbers stolen, though SCFHP officials say that specific information wasn’t stolen in this case.
“I have experienced a lot of anxiety about it,” said Christina Silva, a plan member who received the April letter notifying her that her personal data may have been stolen. Over the last few days, Silva has scrambled to ensure her information has not been misused. She accused the health plan of responding too slowly to the matter with vague language.
“Has any of this info been used?” asked Silva, whose 14-year-old son is also on the plan. “It is a lot of uncertainty.”
When asked why it waited for nearly a month to notify its members about the incident, the healthcare provider stated in a written response to the Bay Area News Group that it had worked with its vendor NationsBenefits “as quickly as possible to identify impacted members and prepare and mail the notices in compliance with all regulatory and legal obligations.”
The incident comes just months after Oakland experienced a vicious cyberattack where hundreds of gigabytes of city personnel data were hacked and posted on the dark web, a portion of the internet that requires a special web browser to access. Authorities blamed that incident on an “unauthorized third party.”
Sarah Powazek, who directs a cybersecurity academic program at UC Berkeley, said healthcare data is “especially sensitive” because full names and dates of birth cannot be changed. But she said the plan’s members don’t have to be overly concerned.
“Identity theft is a particular concern when sensitive financial information is leaked, such as credit card information or social security numbers,” she wrote. “In this case, identity theft may be less of a concern than the privacy risks of having full names, DOBs, and contact info leaked”
She encourage those affected by the breach to quickly change their Medi-Cal passwords to prevent unauthorized access to their healthcare information. “The Bay Area is still reeling from the recent ransomware attack on the City of Oakland, and it seems almost a weekly occurrence that an organization is hacked and extorted for ransom by cybercriminals,” she said.
According to federal cyber officials, the hacker group “Clop” has been active since 2019 and is one of the “most successful” ransomware actors of the last few years. It was responsible for nearly 1,000 attacks on healthcare infrastructure in 2021 — and in June of that year, six individuals linked to the group living in Ukraine were arrested. The same officials say hospitals are particularly vulnerable to attack because of their weak digital security measures.
“Clop’s alleged attack this year only further exacerbates an ever-growing trend to target the healthcare industry, and highlights its vulnerabilities to future cyberattacks,” the February report by the U.S. Department of Health and Human Services states.
