Nine months after detecting abnormal activity on their systems, and seven months after first publicly acknowledging a breach, NYSARC Columbia County has issued another press notice.
Their newest notice is somewhat confusing in that it states that they “will issue notices to affected individuals and relevant state and federal agencies about the incident.” But then in the next paragraph, they state, “While COARC is unaware of any misuse of personal information, out of an abundance of caution, we notified the potentially affected individuals by mail.”
So have they notified them already or will they first be notifying them?
COARC determined that the following types of information may have been impacted: name, address, social security number, financial account, credit card information, medical information, student information, driver’s license, and passport number. Note that this describes general categories of information identified as present within the affected systems during the incident and it includes categories that are not relevant to each individual.
The full notice can be found here.
DataBreaches reached out to the attorney contact this morning to ask for clarification about whether individuals have already been notified or not, but also to ask about the ransomware aspect — was data actually exfiltrated as part of the attack, did COARC receive a ransom demand, and if so, did they pay it? No reply was received by the end of the day.
Update: Their website notice is clearer than their press release. The website notice states that they started sending out letters on April 26, 2023. It does not address the ransom and data exfiltration questions, though, and we still do not know the total number of people affected by this.