Do you know the single biggest breach report filed with Massachusetts so far this year?
It would be understandable if you guessed Change Healthcare, but there is no publicly listed report from them yet to Massachusetts, so it’s not them. And it’s not the Loan Depot breach reported in February as affecting 406,849 Massachusetts residents or the AT&T breach reported in April that affected 161,272 Massachusetts residents.
The biggest breach reported so far to Massachusetts this year was reported by an entity most people have probably never heard of: Edward Flynn, LMHC.
What We Know So Far
According to Massachussetts’ breach tool, 575,000 Massachusetts residents were affected by an incident involving their Social Security Numbers, Medical Records, Financial Accounts, Driver’s Licenses, and Credit/Debit Numbers. The breach was reported to them on July 6, 2024.
But what happened? Massachusetts uploads template notification letters. Where there is no letter corresponding to the assigned number, the site informs the public that “If an assigned data breach number is not listed, the consumer was contacted via phone or another mode of communication, and no letter was sent.”
There was no letter listed for the assigned number for the Flynn incident and DataBreaches could find no substitute notice, press release, or notification to any other regulator.
DataBreaches emailed Mr. Flynn to ask for a copy of any substitute notice, notification letter, or explanation of the reported incident. He replied to the email saying, in part, that he didn’t know who I was or why DataBreaches was trying to have him “provide evidence since none of your business. Have a good one.”
DataBreaches responded to Mr. Flynn that yes, this site reports on breaches. DataBreaches asked him again for an explanation of the report to Massachusetts, but no reply has been received by publication.
Because he did not provide any explanation for the breach, DataBreaches considered what is known about his professional activities that could help predict who might have been affected.
Who is Edward Thomas Flynn, LMHC
![](http://databreaches.net/wp-content/uploads/etf.png)
Based on the results of a Google search: Edward Thomas Flynn has a masters degree in education and is a licensed mental health counselor and school adjustment counselor in Massachusetts. He offers treatment services for anxiety, depression, trauma, and Post-Traumatic Stress Disorder and claims experience working with a number of populations in a number of different settings. He also offers individual or group clinical supervision to students in the field of mental health.
In an undated bio, Mr. Flynn also claims he is a specialist in research for Mind Light, LLC: “I am a specialist in research, conducting studies, have experience in pharmaceutical science, behavioral health, and have worked in many various settings affiliated with the research conducted on this site.” He also stated he had eight years experience in the Massachusetts prison system.
Lack of Transparency is Problematic, Public Records Requested
The broad range of claimed experiences and settings makes it difficult to guess what patients, prisoners, employees, or research participants may have had their data involved in the incident reported to Massachusetts, but the fact that SSN, medical records, financial accounts, drivers license numbers, and credit/debit numbers were involved is concerning. Were the medical records specific counseling records about psychological disorders or just coded records?
Because of the lack of transparency, we also do not know how far back any compromised files may go or how many people may be affected in total. This incident has not shown up on HHS’s public breach tool, and DataBreaches does not know whether Mr. Flynn is a HIPAA-covered entity.
In addition to emailing Mr. Flynn, DataBreaches filed public records requests with the Massachusetts Office of Consumer Affairs and the Foxboro, Massachusetts Police (the latter in case Mr. Flynn filed a police report about any incident). An inquiry was also sent to Mind Light LLC via their website contact form.
No replies were received by publication. This post will be updated if more information becomes available.