Updated July 16: It appears that Edward Flynn, LMHC, may not have intended to indicate that his organization had 575,000 people affected by a breach. However, despite multiple attempts and inquiries from DataBreaches, he continues to decline to provide any coherent statement to explain his report to the state in terms of what actually happened and how many individuals in his practice or work had PII or PHI involved. Mr. Flynn may be a timely reminder of why you should have a lawyer to consult with or to guide you if you have a breach to report.
Original post:
Do you know the single biggest breach report filed with Massachusetts so far this year?
It would be understandable if you guessed Change Healthcare, but there is no publicly listed report from them yet to Massachusetts, so it’s not them. And it’s not the Loan Depot breach reported in February as affecting 406,849 Massachusetts residents or the AT&T breach reported in April that affected 161,272 Massachusetts residents.
The biggest breach reported so far to Massachusetts this year was reported by an entity most people have probably never heard of: Edward Flynn, LMHC.
What We Know So Far
According to Massachussetts’ breach tool, 575,000 Massachusetts residents were affected by an incident involving their Social Security Numbers, Medical Records, Financial Accounts, Driver’s Licenses, and Credit/Debit Numbers. The breach was reported to them on July 6, 2024.
But what happened? Massachusetts uploads template notification letters. Where there is no letter corresponding to the assigned number, the site informs the public that “If an assigned data breach number is not listed, the consumer was contacted via phone or another mode of communication, and no letter was sent.”
There was no letter listed for the assigned number for the Flynn incident and DataBreaches could find no substitute notice, press release, or notification to any other regulator.
DataBreaches emailed Mr. Flynn to ask for a copy of any substitute notice, notification letter, or explanation of the reported incident. He replied to the email saying, in part, that he didn’t know who I was or why DataBreaches was trying to have him “provide evidence since none of your business. Have a good one.”
DataBreaches responded to Mr. Flynn that yes, this site reports on breaches. DataBreaches asked him again for an explanation of the report to Massachusetts, but no reply has been received by publication.
Because he did not provide any explanation for the breach, DataBreaches considered what is known about his professional activities that could help predict who might have been affected.
Who is Edward Thomas Flynn, LMHC
Based on the results of a Google search: Edward Thomas Flynn has a masters degree in education and is a licensed mental health counselor and school adjustment counselor in Massachusetts. He offers treatment services for anxiety, depression, trauma, and Post-Traumatic Stress Disorder and claims experience working with a number of populations in a number of different settings. He also offers individual or group clinical supervision to students in the field of mental health.
In an undated bio, Mr. Flynn also claims he is a specialist in research for Mind Light, LLC: “I am a specialist in research, conducting studies, have experience in pharmaceutical science, behavioral health, and have worked in many various settings affiliated with the research conducted on this site.” He also stated he had eight years experience in the Massachusetts prison system. Fred Schiffer, Founder and CEO of Mind Light contacted DataBreaches.net to state that to his knowledge, Mr. Flynn would not have had any of their research particpants’ records.
Lack of Transparency is Problematic, Public Records Requested
The broad range of claimed experiences and settings makes it difficult to guess what patients, prisoners, employees, or research participants may have had their data involved in the incident reported to Massachusetts, but the fact that SSN, medical records, financial accounts, drivers license numbers, and credit/debit numbers were involved is concerning. Were the medical records specific counseling records about psychological disorders or just coded records?
Because of the lack of transparency, we also do not know how far back any compromised files may go or how many people may be affected in total. This incident has not shown up on HHS’s public breach tool, and DataBreaches does not know whether Mr. Flynn is a HIPAA-covered entity.
In addition to emailing Mr. Flynn, DataBreaches filed public records requests with the Massachusetts Office of Consumer Affairs and the Foxboro, Massachusetts Police (the latter in case Mr. Flynn filed a police report about any incident). An inquiry was also sent to Mind Light LLC via their website contact form.
No replies were received by publication. This post will be updated if more information becomes available.
This post was updated on October 10, 2024 to add Mr. Schiffer’s statement that to the best of his knowledge, Mr. Flynn would not have had any of Mind Light’s research participants’ data.