Unfortunately, patients are not likely to get their identities back even though CMS found their records.
The records were being offered for sale by a hacker. The seller claims that 48,000 were from a town in Missouri, 210,000 from the “Midwest”, and 397,000 from Georgia.
While medical records — especially ones like these that included names, ssn, and insurance numbers — often run up to $30 or more per record in the criminal underworld, this hacker was apparently running a sale for “only” $400,000 equivalent in Bitcoin.
The discovery prompted a reminder note to healthcare providers on their obligation to report data breaches. View CMS Notice. The notice also contained a link to the original report on the web. Original Report With Dark Web screenshot.
The format of the CMS reminder suggests that CMS does not have a report of a breach that matches the data, but it also suggests that they are definitely LOOKING for provider or hospital that was the source of the data. I would not want to be those medical offices or hospitals when CMS does find out the breach source.
Out of fairness, the folks that lost this data may not know they have been breached. The reported average “breach to discovery” time in the US is more than 200 days. A majority of cases are discovered by police — or in this case, internet sites and CMS.