Update and possible correction: this may be a different breach than the one first reported in February 2020. The post below has been edited to reflect that while I attempt to verify if this was a second incident or not.
Yesterday, AIU issued a press release about an incident they say they discovered in January that resulted in access to information about some current and former employees, as well as their dependents and beneficiaries if they participated in AIU’s health of other benefit plans. That would likely put some of this under HIPAA. The incident also reportedly impacted sole proprietor vendors who received an IRS Form 1099 from the AIU (for tax years 2013 through 2020). The information in the files included names, addresses, email addresses, dates of birth, and Social Security numbers.
AIU’s full notice can be found on their web site at https://www.aiu3.net/Page/4522. There is nothing on HHS’s public breach tool at this time.
In January 2020, Conti threat actors dumped data from AIU in a ransomware incident. They claimed it was 50% of what they had exfiltrated.
This post will be updated once it’s clearer whether this is the same incident as last year’s or not.