In November, 2020, networking equipment vendor Belden revealed that they had been the victim of a cyberattack. DataBreaches.net noted it at the time, but did not realize any protected health information was involved until April, 2021, when Belden notified HHS that protected health information they maintained as part of their health plan had been potentially impacted for 6,348 individuals.
This week, Belden published a substitute notice that provided more details and informed people impacted by the breach what they could do to protect themselves. Their substitute notice of July 2 begins:
What happened?
On the evening of November 12, 2020, Belden IT professionals detected unusual activity involving certain company servers. We immediately triggered our cybersecurity incident response plan, deployed teams of internal IT specialists, and engaged leading third-party cybersecurity forensic experts and other advisors to identify the scope of the incident and move quickly to mitigate the impact. Forensics experts determined that we were the target of a sophisticated attack by a party outside the company. On or about November 15, 2020, we learned that the outside party accessed servers that contained personal information of some current and former employees. We subsequently learned that our servers also contained some health-related information of some current and former employees, as well as some personal and health-related information of some spouses, dependents, and relatives of some current and former employees.
What information was involved?
For affected individuals, the personal and health-related information involved in this incident may have included names, birthdates, government-issued identification numbers (for example, social security number), bank account information (for North American employees on Belden payroll), home addresses, email addresses, other general employment-related information (for Belden employees), gender, and benefits information, such as UMI (member) number, group number, coverage category, primary source of coverage, the effective date of that coverage, any additional sources of coverage, the effective date of additional coverages, their relationship to a Belden employee, and other benefits information. For individuals involved in a workers’ compensation claim associated with Belden, the personal and health-related information may have also included some information about their injury. For Belden personnel in insurance claims dispute discussions, the information about them may have included diagnosis and treatment information related to the claim. Otherwise, Belden personnel do not have access to individuals’ diagnosis and treatment information.
What we are doing?
While our investigation continues, we believe that we have stopped further unauthorized access of personal data on our servers. We are also working with regulatory and law enforcement officials, including the F.B.I. and Department of Homeland Security, to investigate the matter and have engaged legal counsel to help us notify appropriate regulatory authorities. In addition, we are continuously monitoring for any suspicious activity on our systems and have deployed additional resources to reinforce the security of our systems.
To help relieve concerns and attempt to mitigate the consequences of this incident on affected individuals, where available and legally permissible we are offering a complimentary twenty-four month membership of Experian IdentityWorksSM Credit 3B to individuals whose data was potentially impacted by this incident. If you are interested in obtaining this service, please contact us using the methods provided below and, if we are able to verify that you were a potentially affected individual, we will provide instructions on how to enroll in the Experian IdentityWorksSM Credit 3B product. This product helps detect possible misuse of your personal information and provides you with identity protection services focused on immediate identification and resolution of identity theft.
What you can do?
If you think that you may have been impacted by this incident, you may contact us at 1-833-971-3268, Monday through Friday from 8:00 a.m. to 5:30 p.m. Central Time or at [email protected]. Please also review the enclosed “Additional Resources” section below. This section describes additional steps you can take to help protect yourself, including recommendations by the Federal Trade Commission regarding identity theft protection and details on how to place a fraud alert or a security freeze on your credit file.
Protecting your information is important to us. We trust that the services we are offering to you demonstrate our continued commitment to your security and satisfaction.
The remainder of the substitute notice can be found here.
The notice makes no specific mention of HHS or HIPAA, and it’s not clear whether their substitute notice at this time is purely voluntary on their part, on the advice of counsel, or if HHS pushed them to do a notice that would be compliant with HITECH and HIPAA requirements. In either event, It seems that seven months after they first detected a breach, the firm is first offering some mitigation services to some of its workforce or their dependents. Will that persuade people of their commitment to security and satisfaction? Hopefully there has been no misuse of any information that may have been acquired by the unnamed threat actors.