R1 RCM has notified patients potentially affected by a cybersecurity incident that involved personal identifiable information and personal health information.
R1 said in a notice submitted March 11 with the Massachusetts Attorney General's Office that on Nov. 17 it became aware that protected health information associated with Henderson, Nev.-based St. Rose Dominican, Rose de Lima Campus, was in the possession of an unauthorized third party. R1 is a vendor for the hospital owned by San Francisco-based Dignity Health.
The company said it immediately began an investigation and determined a copy of this PHI was maintained on a server that was targeted by the exploitation of a zero-day vulnerability of GoAnywhere software by the same unauthorized third party on Jan. 30, 2023. R1 said that "while it could not be definitively confirmed that the GoAnywhere Event was the source of the PHI, this notice is being issued out of an abundance of caution."
R1 undertook an analysis of the Dignity PHI and on Jan. 11 determined that certain PHI, including patient name, contact information, date of birth, location of services, clinical and/or diagnosis information, and patient account and/or medical record number was potentially affected, according to the notice. Some patients' Social Security numbers may have also been affected.
"Following the GoAnywhere Event, R1 rebuilt the impacted server and implemented the patch released by GoAnywhere designed to address the vulnerability at issue," the notice said.
R1 said in a letter sent to patients that out of an abundance of caution, the company secured the services Kroll Identity Services to provide them identity monitoring services for free.
An R1 spokesperson told Becker's in a statement that "based on the investigation the potential impact of the event appears to be limited."
"R1 and Dignity Health have worked together to notify impacted patients and appropriate federal and state authorities," the statement said. "R1 is committed to ensuring the security and confidentiality of all company and customer data as we partner to transform the patient experience and financial performance of all our customers."