R1 RCM
A major hospital revenue cycle company exposed patient billing data—SSNs, insurance details, and treatment records from health systems nationwide.
What happened?
R1 RCM, one of the largest revenue cycle management companies serving hospitals and health systems, disclosed a data breach affecting patient billing records. R1 manages the financial operations for major health systems—from patient registration to claims processing to collections—handling sensitive data at every step.
What data was actually inside?
Patient names, Social Security numbers, insurance details, billing records, and diagnosis/treatment codes. Revenue cycle companies see the complete financial picture of every patient encounter—what was done, what it cost, who paid, and who still owes money.
R1's scale means data from multiple health systems aggregates in their infrastructure—a breach affects patients across many hospitals.
Who gets hurt and how?
Patients at every health system using R1's services. They sought care at their local hospital; R1 handled the billing. Now their SSNs, insurance information, and medical conditions (via billing codes) are exposed. The data enables medical identity theft, insurance fraud, and targeted scams.
Billing data also reveals financial vulnerability—patients with outstanding balances or payment plans are known to attackers.
What did they think they were doing right?
R1 RCM is a publicly traded company serving major health systems. They operate under HIPAA as a business associate. They have security programs, compliance certifications, and contracts that require them to protect patient data. Health systems chose R1 precisely because revenue cycle is complex and R1 claims expertise.
The trust placed in revenue cycle vendors comes with corresponding security expectations. Those expectations weren't met.
What did they not know about their own data?
R1 didn't know how accessible patient data was across their infrastructure. Revenue cycle operations generate and process data continuously—patient registrations, charge captures, claims, payments, denials. Each transaction adds to the data volume. Each client adds more patient records.
They knew they had PHI at scale. They didn't know how much could be accessed in a breach.
What does attribution look like the morning after?
Notifications cascading from R1 to health system clients to patients. Each hospital must determine their exposure and manage their own notifications. HHS OCR investigation of R1 and potentially each affected covered entity. The complexity multiplies across every client relationship.
For R1, the breach threatens relationships with health systems that trusted them with their patients' data. Revenue cycle is a sticky relationship—but breaches test that stickiness.
What would have changed the outcome?
Mapping sensitive data flows across the entire revenue cycle operation.
If R1 had visibility into where patient data lived—every database, every integration, every workflow—they could have prioritized protection and detected anomalies. Revenue cycle vendors handle the complete financial identity of patients. That data requires security that matches its sensitivity.
Don't Learn What You Have From an Attacker
R1 didn't know what patient data was at risk until the breach revealed it. Risk Finder shows you first.
Start Your Risk Assessment