Preface: In this post, DataBreaches summarizes four more notifications involving patient data or health data that were published this past week. Three of the incidents are new disclosures and one is an update. Note that the three newly disclosed incidents all involved compromise of employee email accounts. In at least two of the three incidents, investigators could not determine which emails or data were accessed, resulting in the entities having to notify everyone who potentially had data accessed (the third incident is silent on this point).
How much more does incident response cost to go through every email and attachment that perhaps did not need to be kept in the employee’s email account at that point? Do you think there’s a take-home message in there, perhaps?
ATC Healthcare
ATC Healthcare in New York issued a press release about a breach they experienced in December 2021. Their press release is not as clear or detailed as an updated notice on their website, so it is the website notice that is the source of this summary:
On December 22, 2021, ATC discovered unusual activity involving some employee email accounts. Investigation revealed that the email accounts had been accessed without authorization at varying times between February 9, 2021 and December 22, 2021.
The compromised email accounts contained the following types of information at the time of the incident: names, Social Security numbers, driver’s licenses, financial account information, usernames and passwords, passport numbers, biometric data, medical information, health insurance information, electronic/digital signatures, and employer-assigned identification numbers.
As is often the case, investigators could not be sure exactly what data may have been accessed so notifications were sent to all individuals who were potentially impacted.
They do not seem to be offering anyone any complimentary services and emphasize that there there is no definite evidence that any data was accessed, copied, or exfiltrated.
Community of Hope D.C. (COHDC)
On February 7, 2022, COHDC learned of a data security incident involving unauthorized access to an email account of one COHDC employee. The incident was reportedly discovered when the account’s authorized user identified spam messages being sent from the account. Investigation revealed that an unauthorized actor may have accessed certain files and data contained within a single Outlook 365 email account between January 27 and February 7, 2022.
The information that may have been accessed for individuals included Social Security numbers, driver’s license numbers, financial information, health insurance information, and health diagnostic information.
COHDC appears to have made arrangements with IDX to provide assistance and services to those affected. You can read their full notice on COHDC’s website.
The People Concern
Although they do not disclose when they first discovered a problem, The People Concern (TPC) in California found that an unauthorized individual accessed employees’ email accounts on different dates between April 6, 2021 and December 9, 2021. As in other cases, the investigators were unable to determine exactly which emails or what data in the email accounts was accessed.
TPC collects a variety of information on community members and employees, including: name, date of birth, Social Security number, health insurance information, and medical information regarding care the community member may have received in one of their programs.
For those whose SSN or driver’s license information was potentially involved, TPC is offering services through IDX to assist them.
TPC’s notification to the California Attorney General’s Office can be found here; their website notice can be found here.
Advocates, Inc.
On June 28, Advocates, Inc. in Massachusetts issued a press release.
According to the release, on October 1, 2021, Advocates was informed that Advocates data had been copied from its digital environment by an unauthorized actor. Investigation revealed that an unknown actor gained access to and obtained data from the Advocates network between September 14, 2021 and September 18, 2021. The unauthorized individual was able to acquire personal and protected health information including: name, address, Social Security number, date of birth, client identification number, health insurance information, and medical diagnosis or treatment information.
But if you recognize their name, you may be wondering why they issued this notice on June 28. This is the same incident that had been reported to the Maine Attorney General’s Office by their external counsel on January 3, 2022 as impacting 68,236 individuals (total). It was also reported with that number to HHS on January 21, 2022.
Digging deeper into their website notice reveals that the identification of additional affected individuals continued until into June. As they explain:
Advocates is not aware of any evidence of the misuse of any information potentially involved in this incident. However, beginning on January 3, 2022, Advocates mailed notice of this incident to potentially impacted individuals for which Advocates had identifiable address information. Advocates then worked diligently with experts to review the impacted data set and identify any additional potentially impacted individuals with address information. That process was completed on June 9, 2022, and on June 28, 2022, Advocates provided notice of this incident to those individuals.
At some point, then, we may see an amended entry on HHS’s breach tool or to the Maine Attorney General’s Office, or both.