Texas Medicaid subcontractor dumped after data breach

MM Curator summary

Accenture dropped a subcontractor in TX after hackers were able to defeat security measures and expose data for 274,000 members.


The article below has been highlighted and summarized by our research team. It is provided here for member convenience as part of our Curator service.



A Texas Medicaid contractor ended its contract with its billing and collection services provider following a malware attack last year that exposed the protected health information of nearly 275,000 patients, according to a March 5 Dallas Morning News report.

Nine details:

1. Texas’ IT services company Accenture nixed its relationship with Houston-based Benefit Recovery Specialists Inc. in October.

2. In July 2020, BRSI notified 274,837 patients and health plan members of the malware attack. In notices BRSI posted on its website and sent to media organizations, the company did not mention Medicaid or Texas as the main affected entity, according to the report.

3. The Texas Health and Human Services Commission, which runs Medicaid, did not learn that 98.5 percent of the nearly 275,000 Americans potentially affected by the breach were Medicaid patients until it received questions about the breach from Dallas Morning News.

4. When first communicating the breach to the state last year, Accenture described a multistate incident involving healthcare providers and insurance billing and collections for more health plans than just Medicaid. This matched the same notifications BRSI made to the government and public last summer, according to the report.

5. A Texas Health and Human Services Commission spokesperson told the publication that Accenture did not make HHSC aware that most of the clients affected by the breach were Texas Medicaid patients. BRSI CEO Anthony Stegman told Dallas Morning News he has “no comment” on the situation.

6. An Accenture spokesperson told the publication that the data breach was handled in compliance with state and federal regulations and there was no withholding of relevant information from HHSC. The spokesperson added that early explanations of the incident may have been incomplete only because the company lacked a full view into BRSI’s affairs.

“We shared all relevant information provided to us by BRSI with our client, Texas HHSC, as we learned about the incident from BRSI,” the spokesperson said. “However, due to client confidentiality, BRSI did not share their other impacted clients with us, nor did they share with us what percentage of the impact was represented by Texas Medicaid. We also were not informed by BRSI regarding the overall impacted population.”

7. Between April 20 and April 30, 2020, hackers used accounts within BRSI’s systems and deployed a malicious computer program called Osiris banking Trojan to steal certain files from the BRSI network and execute Maze ransomware on multiple systems.

8. BRSI paid the ransom, but Accenture said it doesn’t know the monetary amount.

9. Accenture has a $1.45 billion, 73-month contract with the Texas HHSC to enroll providers, pay claims in the fee-for-service portion of Medicaid, and manage Texas Medicaid members’ data.


Clipped from: https://www.beckershospitalreview.com/cybersecurity/texas-medicaid-subcontractor-dumped-after-data-breach.html