Update: This incident was subsequently reported to the Maine Attorney General’s Office on February 15 as impacting a total of 94,449 people.
Original post:
In January, DataBreaches.net noted a report to the Massachusetts Attorney General’s Office that involved Comprehensive Health Services (CHS), a business associate providing occupational health services to clients’ employees. The breach was not reported on this site at that time because we anticipated more reports or a press release. That happened this week, but in comparing this week’s notification to the January report to Massachusetts involving Anchor QEA, LLC, it appeared that the notification to Anchor QEA contained details not included in their press release yesterday concerning steps CHS took following the breach. Specifically, the January notification letter included:
What We Are Doing: In addition to taking immediate action upon learning of the attack, the Company implemented additional corrective actions as recommended by the forensic review team during its investigation. We have invested in enhanced network security measures, including: 1) purchasing a new suite of endpoint detection and response tools, and installing this software on all servers and endpoints on the network enterprise; 2) replacing our previous threat detection and monitoring surveillance vendor; 3) adding capabilities for extended detection and response to future attempted network intrusions; and 4) conducting network penetration testing.
Additionally, while the notification template submitted to Massachusetts contains an offer of mitigation services, there is no mention of that in the public press release or the notice on CHS’s website. Only those reading the actual notification might become aware of the offer. From the Massachusetts notification:
In order to help relieve concerns over possible identity theft as a result of this incident, and to restore confidence following this incident, we are offering you complimentary identity protection services through <redacted>, a leader in risk mitigation and response. These services include 24 months of credit monitoring, dark web monitoring, a $1,000,000 identity fraud loss reimbursement policy, and fully-managed identity theft recovery services.
This incident has not yet shown up on HHS’s public breach tool, so this post will eventually be updated with a note about how many patients may have been impacted. For now, here is CHS’s press release issued yesterday:
CAPE CANAVERAL, Fla. Feb. 11, 2022 /PRNewswire/ — On September 30, 2020, Comprehensive Health Services (“CHS”) detected unusual activity within its digital environment following discovery of fraudulent wire transfers. In response, CHS took immediate steps to secure its digital environment and promptly launched an investigation. In so doing, CHS engaged independent digital forensics and incident response experts to determine what happened and to identify any information that may have been accessed or acquired without authorization as a result. On November 3, 2021 , CHS learned that certain personal information may have been impacted in connection with the incident. CHS then worked diligently to identify address information required to effectuate notification.
There is no evidence of the misuse of any information potentially involved in this incident. However, on January 20, 2022, and February 14, 2022, CHS sent notification letters to the individuals whose personal information was potentially involved in this incident for whom CHS had identifiable address information providing them information about what happened and steps they can take to protect their personal information.
Based on the investigation of the incident, the following personal information may have been involved in the incident: name, date of birth, and / or Social Security number.
CHS takes the security of all information within its possession very seriously and is taking steps to prevent a similar event from occurring in the future, including investing in enhanced security measures.
CHS has established a toll-free call center to answer questions about the incident and related concerns. The call center is available Monday through Friday from 8:00 A.M. to 8:00 P.M. Central Time, Monday through Friday (excluding holidays) and can be reached at 1-800-741-0381.
The security of information is our top priority at CHS, and we are committed to safeguarding data and privacy. We deeply regret any worry or inconvenience that this matter may cause.
CHS has also posted substitute notice to its website providing individuals for whom addresses could not be located with information about the incident.
View original content:https://www.prnewswire.com/news-releases/notice-of-data-security-incident-301481106.html
SOURCE Comprehensive Health Services