Elara Caring, a provider of home-based care, suffered a data security breach that they learned about in mid-December. Last month, they started notifying more than 100,400 patients. A notice on their web site explains that a number of corporate email accounts had been compromised — accounts that contained both employee and patient information. Elara Caring learned of the breach in mid-December, but they do not disclose when the breach actually occurred or how they learned about it.
Information in the email accounts included information for employees and patients, and may have included: name, address, Social Security number, driver’s license number, Employer ID number, financial or bank account information, date of birth, email address and password, insurance information and insurance account number, and passport number.
“Importantly,” they state, “we have no evidence at this time that personal information of Elara Caring patients or employees was downloaded, accessed or misused by the intruder.”
While such statements may sound reassuring, some attackers are quite skilled at covering their tracks and data exfiltration. Sometimes, data has been downloaded and shows up months later on a dark web forum. In this blogger’s opinion, patients and employees should not relax because of statements such as the one in this notification — they should take steps to protect themselves. Think of it this way: why would a criminal hack an entity if not to get information to misuse somehow?
You can get more information by reading the entity’s entire notice on their web site. The incident was reported to HHS on February 24 as impacting 100,487 patients, but their report was only added to the public breach tool yesterday.