DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

It’s the biggest breach reported so far to Massachusetts in 2024 but you probably didn’t hear about it.

Posted on July 15, 2024October 10, 2024 by Dissent

Updated July 16: It appears that Edward Flynn, LMHC, may not have intended to indicate that his organization had 575,000 people affected by a breach. However, despite multiple attempts and inquiries from DataBreaches, he continues to decline to provide any coherent statement to explain his report to the state in terms of what actually happened and how many individuals in his practice or work had PII or PHI involved. Mr. Flynn may be a timely reminder of why you should have a lawyer to consult with or to guide you if you have a breach to report. 

Original post:

Do you know the single biggest breach report filed with Massachusetts so far this year?

It would be understandable if you guessed Change Healthcare, but there is no publicly listed report from them yet to Massachusetts, so it’s not them. And it’s not the Loan Depot breach reported in February as affecting 406,849 Massachusetts residents or the AT&T breach reported in April that affected 161,272 Massachusetts residents.

The biggest breach reported so far to Massachusetts this year was reported by an entity most people have probably never heard of:  Edward Flynn, LMHC. 

What We Know So Far

According to Massachussetts’ breach tool,  575,000 Massachusetts residents were affected by an incident involving their Social Security Numbers, Medical Records, Financial Accounts, Driver’s Licenses, and Credit/Debit Numbers. The breach was reported to them on July 6, 2024.

Record from Massachetts publc breach tool shows submission by Flynn on July 6, 2024.
But what happened? Massachusetts uploads template notification letters. Where there is no letter corresponding to the assigned number, the site informs the public that “If an assigned data breach number is not listed, the consumer was contacted via phone or another mode of communication, and no letter was sent.”

There was no letter listed for the assigned number for the Flynn incident and DataBreaches could find no substitute notice, press release, or notification to any other regulator.

DataBreaches emailed Mr. Flynn to ask for a copy of any substitute notice, notification letter, or explanation of the reported incident. He replied to the email saying, in part, that he didn’t know who I was or why DataBreaches was trying to have him “provide evidence since none of your business. Have a good one.”

DataBreaches responded to Mr. Flynn that yes, this site reports on breaches. DataBreaches asked him again for an explanation of the report to Massachusetts, but no reply has been received by publication.

Because he did not provide any explanation for the breach, DataBreaches considered what is known about his professional activities that could help predict who might have been affected.

Who is Edward Thomas Flynn, LMHC

Image: OnlineWebCounseling.com

Based on the results of a Google search: Edward Thomas Flynn has a masters degree in education and is a licensed mental health counselor and school adjustment counselor in Massachusetts. He offers treatment services for anxiety, depression, trauma, and Post-Traumatic Stress Disorder and claims experience working with a number of populations in a number of different settings. He also offers individual or group clinical supervision to students in the field of mental health.

 In an undated bio, Mr. Flynn also claims he is a specialist in research for Mind Light, LLC:  “I am a specialist in research, conducting studies, have experience in pharmaceutical science, behavioral health, and have worked in many various settings affiliated with the research conducted on this site.”   He also stated he had eight years experience in the Massachusetts prison system.  Fred Schiffer, Founder and CEO of Mind Light contacted DataBreaches.net to state that to his knowledge, Mr. Flynn would not have had any of their research particpants’ records.

Lack of Transparency is Problematic, Public Records Requested

The broad range of claimed experiences and settings makes it difficult to guess what patients, prisoners, employees, or research participants may have had their data involved in the incident reported to Massachusetts, but the fact that SSN, medical records, financial accounts, drivers license numbers, and credit/debit numbers were involved is concerning.  Were the medical records specific counseling records about psychological disorders or just coded records?

Because of the lack of transparency, we also do not know how far back any compromised files may go or how many people may be affected in total. This incident has not shown up on HHS’s public breach tool, and DataBreaches does not know whether Mr. Flynn is a HIPAA-covered entity.

In addition to emailing Mr. Flynn, DataBreaches filed public records requests with the Massachusetts Office of Consumer Affairs and the Foxboro, Massachusetts Police (the latter in case Mr. Flynn filed a police report about any incident). An inquiry was also sent to Mind Light LLC via their website contact form.

No replies were received by publication. This post will be updated if more information becomes available.


This post was updated on October 10, 2024 to add Mr. Schiffer’s statement that to the best of his knowledge, Mr. Flynn would not have had any of Mind Light’s research participants’ data. 

No related posts.

Category: Health DataU.S.

Post navigation

← IDF has fended off more than three billion cyberattacks since Oct. 7
Students’ Personal Data Mismanaged; Data Sent to Foreign Businesses, Used to Update Apps →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • McDonald’s McHire leak involving ‘123456’ admin password exposes 64 million applicant chat records
  • Qilin claims attack on Accu Reference Medical Laboratory. It wasn’t the lab’s first data breach.
  • Louis Vuitton hit by data breach in Türkiye, over 140,000 users exposed; UK customers also affected (1)
  • Infosys McCamish Systems Enters Consent Order with Vermont DFR Over Cyber Incident
  • Obligations under Canada’s data breach notification law
  • German court offers EUR 5000 compensation for data breaches caused by Meta
  • Air Force Employee Pleads Guilty to Conspiracy to Disclose Unlawfully Classified National Defense Information
  • UK police arrest four in connection with M&S, Co-op and Harrods cyberattacks (1)
  • At U.S. request, France jails Russian basketball player Daniil Kasatkin on suspicion of ransomware conspiracy
  • Avantic Medical Lab hacked; patient data leaked by Everest Group

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • DeleteMyInfo Wins 2025 Digital Privacy Excellence Award from Internet Safety Council
  • TikTok Loses First Appeal Against £12.7M ICO Fine, Faces Second Investigation by DPC
  • German court offers EUR 5000 compensation for data breaches caused by Meta
  • How to Build on Washington’s “My Health, My Data” Act
  • Department of Justice Subpoenas Doctors and Clinics Involved in Performing Transgender Medical Procedures on Children
  • Google Settles Privacy Class Action Over Period Tracking App
  • ICE Is Searching a Massive Insurance and Medical Bill Database to Find Deportation Targets

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.