John P. Meehan Agency, an insurance broker in Pennsylvania, issued a press release on November 22. It begins:
John P. Meehan Agency, Inc. (“Meehan”) takes the protection of personal information seriously. As part of that commitment, we are writing to notify you of a data privacy incident involving personal information of certain individuals.
The wording almost suggests that notification was voluntary as part of their commitment, but wasn’t notification required by law?
Their notification continues:
On July 8, 2024, we discovered unusual activity in our network. Immediately following the discovery of the incident, we engaged outside experts, including IT forensic specialists, to investigate. After a thorough investigation, we confirmed that there was unauthorized access to a single employee email account between July 2, 2024 and July 8, 2024, and that data on the account was acquired.
The information involved varied by individual but may have included individuals’ names, Social Security numbers, driver’s license or state identification numbers, passport numbers, financial account information, payment card information, dates of birth, and medical information.
That is a lot of personal information that could put individuals at risk of identity theft, tax refund fraud, and other forms of fraud. Pennsylvania’s breach notification law, amended in September 2024, requires notification without unreasonable delay. From July 2024 to November 2025 will not sound “reasonable” to most people.
A copy of the notification letter can be found on the agency’s website. The notification does not reveal how many people were affected or had data in the one employee’s email account, but its report to the Maine Attorney General’s Office indicates 2,326 people were affected.
Meehan is offering complimentary services to those affected. They do not, however, explain what they are doing to prevent another incident of this kind. Was this a phishing attack? Had the employee had their credentials stolen by an infostealer? Although some states require notification letters to state what the entity will do to prevent a future breach of the same kind, Pennsylvania law, amended in 2024, does not appear to require that element.