On September 8, 2022, DaVita Inc. confirmed that the company suffered a data breach after an unauthorized party gained access to sensitive user data entrusted to the company. According to DaVita, the breach resulted in the compromise of the names, addresses, social security numbers, medical information and health insurance information of certain individuals. DaVita recently sent data breach letters to all affected parties informing them of the incident and what they can do to protect themselves from identity theft and other fraud.
If you’ve been notified of a data breach, it’s important to understand what’s at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are after the DaVita data breach, please see our recent feature on the topic here.
What we know about the DaVita data breach
The DaVita data breach was reported very recently. Thus, information regarding the cause of the incident and when it occurred is limited. However, according to a formal notice filed by the company with the Texas Attorney General, the company estimates that the incident affected 1,072 Texas residents; however, the total number of victims across the country could be much higher.
After determining that sensitive user data had been accessed by an unauthorized party, DaVita then reviewed the affected files to determine what information was compromised and which users were affected. Although the information breached varies by individual, it may include your name, address, social security number, medical information, and health insurance information. At this time, it is unclear whether the incident affected company employees, customers, or both.
On September 8, 2022, DaVita sent data breach letters to all individuals whose information was compromised as a result of the recent data security incident.
Founded in 1979, DaVita Inc. is a healthcare company based in Denver, Colorado. The company is primarily focused on the treatment of end-stage renal disease. DaVita operates 2,816 ambulatory dialysis centers in the United States serving 204,200 patients. DaVita also operates 321 ambulatory dialysis centers in ten other countries, serving an additional 3,200 patients worldwide. DaVita is one of the largest dialysis providers in the country, controlling a 37 percent market share in the industry. DaVita employs more than 69,000 people and generates approximately $11 billion in annual revenue.
Was protected health information leaked in the DaVita data breach?
Based on the company’s official statement to the state of Texas, we know that the DaVita data breach affected sensitive patient information, including names, addresses, social security numbers, medical information and health insurance information. While the company has not yet confirmed how the breach occurred or the specific nature of the leaked information, it appears likely that the incident led to the compromise of certain parties’ protected health information.
Protected health information is a specific type of health-related data that relates to a patient’s past or current health status or how the patient pays or plans to pay for their health care. For example, the results of a medical imaging test, insurance claims information, or a patient’s dialysis treatment history may be protected health information. However, not all health-related data is taken into account protected health information.
Under the Health Insurance Portability and Accountability Act of 1996, better known as HIPAA, health-related information is considered “protected” only if it contains one or more identifiers. This is because without an identifier there would be no way for anyone to link these results to the patient. An identifier is additional information included with the breached data that would allow someone to match the data to a specific patient. Some of the most common identifiers include patient names, physical or email addresses, physical addresses, photographs, fingerprints, or social security numbers.
From the patient’s perspective, having their protected health information leaked in a data breach means that anyone who gets hold of the information will almost certainly have enough information to commit healthcare identity fraud against the victim.
Healthcare identity theft is similar to other types of identity theft in that it involves an unauthorized person using stolen data for their own benefit. However, healthcare identity fraud is generally much more difficult to resolve than other types of identity theft. Not only that, but unlike other forms of identity theft, healthcare identity theft can actually put patients’ physical health at risk.
For example, after obtaining a patient’s PHI, cybercriminals often sell the information on the dark web. The person purchasing the PHI does so with the intent to obtain medical care on behalf of the victim. After purchasing the stolen information, they can go to the doctor’s office pretending to be the victim, giving the doctor all the information about the victim. When the doctor asks the fake patient for their information, such as medical history, allergies, and current medication list, the fake patient provides the doctor with their own information to ensure they receive the appropriate treatment. However, the result is that the false patient information is mixed with that of the victim, potentially causing serious problems the next time the victim seeks medical attention.
Victims of a data breach involving protected health information should be sure to take all necessary precautions, including reviewing their medical records and notifying their providers. Patients who have questions about how to hold a company accountable for the theft of their information should contact a data breach attorney for help.