In November, 2018, this site noted a breach disclosed by Huntsville Hospital involving JobScience, Inc., a vendor providing online job application services. On November 10, we reported that other entities were also affected, such as Tallahassee Memorial Hospital, who had been notified in September by JobScience, and NorthBay Healthcare Corp., who were notified in October. Although not posted on this site, DataBreaches.net subsequently noted that El Centro Regional Medical Center had also been notified by JobScience.
DataBreaches.net reached out to JobScience and Bullhorn everal times but never received any replay at all. Similarly, Huntsville Hospital Health did not reply to two requests for information on this breach.
And there things remained for a while. Until today, when I see that Advocate Sherman Hospital submitted notification to the California Attorney General’s Office about the same May, 2018 incident.
In their letter, Matt Pattelli, their VP – Human Resources, refers to JobScience as a “former service provdier,” and says that they “recently discovered an incident…..”
Recently? Define “recently.”
What took so long for discovery and notification? Pattelli’s letter provides some clues, but not a really clear explanation:
After provision of additional information by Jobscience in December 2018 and further investigation, we were able to identify in February 2019 that your data was involved. Jobscience stated that law enforcement is aware of the incident, but this notification was not delayed as a result of a law enforcement investigation.
Given that personal information may have included names, contact information, dates of birth, resumes and Social Security Numbers, you would hope that notification and protective services would be offered quickly. If other hospitals notified applicants in November, 2018, why did it take so long in this one hospital’s case? What information wasn’t provided to the hospital that it seemed to need?
Yes, JobScience arranged for services for those affected — even though there is no longer any relationship with the hospital, but what happened here? And are there any other hospitals that are still first notifying job applicants because of this incident?
DataBreaches.net sent an inquiry earlier today to Advocate Sherman Hospital asking when they were first notifed by Jobscience and why the notification wasn’t sufficient to enable them to do notifications more promptly. The inquiry also asked whether the hospital terminated their relationship with Jobscience as a result of the incident or if that was unrelated. DataBreaches.net has received no resply as yet, but will update this post if a response is received.