Some breaches may be more embarrassing to admit to than others. Kudos to this therapist for forthrightly informing the Washington state attorney general what happened:
I am writing to advise you of a computer data breach, which occurred from December 2 to December 4, 2022. I was contacted by a person representing himself as an employee of the Iolo Software Company (the company whose virus software I use on my two business computers). I had purchased an additional encryption program from Iolo, which had mysteriously vanished from my computer with records that were stored within it. A hacker called and stated that the Iolo company was aware that my computer had been hacked and he offered to access my computers to clean any viruses and malware. I granted him access. On December 4, 2022, when he asked me to purchase eBay cards worth $300, I realized it had been a scam.
The Thurston County Sheriffs Department is investigating the breach. Today, I completed mailing out 640 letters to current and former clients whose information may have been compromised. I have paid for legal ads to be run in the Whidbey News Times, South Whidbey Record, Anacortes American, and the Seattle Times. I move to Olympia two years ago, having lived on Whidbey Island since 1975. My practice started in 2001, so approximately 97% of the 902 client affected live on Whidbey Island or Anacortes. Currently, I am doing telehealth counseling only.
The full notification to the state with a copy of the notification to individuals by Robert S Miller, LICSW, ACSW, PLLC can be found on Washington State’s breach site.
In response to the incident, the provider took a number of steps:
To further investigate the breach, mitigate harm, and to prevent something like this from happening again, we are taking the following steps: implementing additional technical security measures, including adopting encryption technologies; changing and strengthening passwords; reporting this event to law enforcement; removing all client information from our computers; having our computers accessed by a security software company to remove any viruses or malware; and providing identify theft protection to clients whose records contained social security numbers.