In July, DataBreaches.net reported on a breach involving Talbert House that had been listed on the “Marketo” leak site, a site where hacked or leaked data is stolen (the site has no connection whatsoever to Adobe’s Marketo). As reported at the time, Talbert House is an agency in Ohio with a network of services focusing on prevention, assessment, treatment and reintegration for clients with a variety of issues, including issues with alcohol and/or drug use and mental health.
At the time of the listing, DataBreaches.net could find no coverage anywhere of any breach and reached out to Talbert House to inquire. Talbert House then posted a notice on their site that day to say that they had become aware of a breach on June 11 after being alerted to suspicious activity by one of their vendors, and were still investigating to determine its scope.
Based on the data provided to this site by Marketo, there appeared to be personal and sensitive information involved.
Yesterday, Talbert House issued a press release saying that it has begun notifying individuals. They write, in part:
While the investigation is still ongoing, we have determined that the unauthorized third party accessed and acquired files containing information of clients, employees, partners, and some other third-parties. Those files included clients’ protected health information, such as: first and last name, full mailing address, medical information and health insurance information. For employees, partners and some other third-parties, Social Security Numbers, driver’s license numbers, and financial account information may have been accessed.
Talbert House is offering complimentary credit monitoring and identity theft protection services to individuals whose personal information has been impacted, even though there has been no indication of misuse at this time.
A copy of the full notice is available on their web site. It does not state that their files were ever encrypted — only that they were accessed and acquired. It does not indicate how much ransom was demanded or whether they paid any ransom. And significantly, perhaps, DataBreaches.net does not see Talbert House listed on Marketo’s site any more. Was ransom paid to get them to remove the listing or did someone buy the data, or….?
Talbert House’s press release also does not indicate how many people are being notified. This incident has not appeared on HHS’s breach tool and it’s not clear if that means that less than 500 patients were impacted or it just hasn’t shown up yet.
DataBreaches.net sent a follow-up email to Talbert House to put those questions to them, but no response has been received as yet. Neither has Marketo responded to an inquiry this site put to it about the removal of the listing from their site.
This post will be updated when this site gets some answers or clarification.
Update of September 24: This incident was reported to HHS as impacting 45,000 patients.