At least 34 healthcare orgs affected by alleged ransomware attack on OneTouchPoint

A ransomware attack on printing and mailing services provider OneTouchPoint is having several downstream effects on its customers, prompting it to release a data breach notice last week on behalf of 34 healthcare organizations.

OneTouchPoint provides its services to several health insurance carriers and medical providers, which hand over customer information for certain services.

The company did not respond to requests for comment but said in a notice on July 27 that it discovered encrypted files on certain computer systems on April 28.  

More than a month later, the company determined that it “would be unable to determine what specific files the unauthorized actor viewed within the OTP network.” The company notified its customers on June 3. 

It is unable to say “definitively” what personal information was accessed by the ransomware group but noted that it worked with customers to determine what information was on their network. It offered to mail breach notification letters to those affected. 

The information included names, healthcare member IDs, as well as information that was provided during health assessments. The incident was reported to law enforcement, according to the notice. 

OneTouchPoint has not said how many people were affected by the breach in total. No ransomware group has taken credit for the attack. 

OneTouchPoint said it was providing notice on behalf of an array of medical organizations, while Arkansas BlueCross and BlueShield released its own breach notification in June explaining that 1,423 of its members had their names, addresses, dates of birth, provider names and medical information exposed in the attack on OneTouchPoint. 

The organization said it was exposed through Matrix Medical Network, which previously provided member services for Arkansas Blue Cross. In July Blue Shield of California Promise Health Plan sent out a breach notification letter as well, similarly attributing the information exposure to Matrix Medical Network. 

The letter said the information exposed names, subscriber ID numbers, diagnoses, medications, addresses, dates of birth, sexes, physician demographics information, family histories, social histories, allergies, vitals, immunizations, and more.

OneTouchPoint is not providing victims with any identity theft protection services but Blue Shield of California Promise Health Plan said it was providing one year of complimentary access to Experian IdentityWorks.

Ransomware attacks on healthcare organizations have continued throughout 2021 and 2022, including recent attacks on a California nonprofit in March by the Hive ransomware group. 

FBI Director Christopher Wray said last month that an Iran-based group attacked the Boston Children’s Hospital with ransomware last June. 

In June, the sensitive information of two million people was accessed during a cyberattack on Shields Health Care Group, a Massachusetts-based healthcare organization that provides services to more than 50 hospitals and clinics across the northeast, including hospitals at higher-education institutions like Emerson College, University of Massachusetts, Tufts University, Wellesley College and more.

A February ransomware attack on medical debt collection firm Professional Finance Company caused a widespread data breach affecting 657 healthcare organizations.