Advocates Inc based in Massachusetts., a nonprofit provider of support services for persons suffering from life challenges like autism, addiction, brain injury, intellectual disabilities, mental health, and behavioral health, has announced it recently encountered a sophisticated cyberattack and data theft event.
Advocates learned on October 1, 2021, that an unauthorized individual had acquired access to its network and copied files that contain the sensitive data of patients and workers. A top cybersecurity company was engaged to help with the investigation, which revealed that an unidentified person had accessed its system and duplicated files over a span of four days between September 14, 2021 and September 18, 2021.
The files included names, dates of birth, addresses, Social Security numbers, health insurance data, client ID numbers, diagnoses, and treatment details. After verifying the individuals affected, Advocate gathered up-to-date contact data in order to provide the written notices, therefore the delay in sending notification letters.
The cyberattack report was submitted to the FBI and regulators. The breach report filed with the Department of Health and Human Services’ Office for Civil Rights signifies the protected health information (PHI) of 68,236 people was included in the stolen records. Advocates stated it is not aware of any attempted or actual misuse of the stolen records; nonetheless, as a safety measure, impacted people were offered complimentary credit monitoring and identity theft protection services.
PHI Breached in Cyberattack on Medical Healthcare Solutions
The medical billing company Medical Healthcare Solutions based in Boston, MA has recently stated it suffered a cyberattack. The attack was uncovered on November 19, 2021, and steps were quickly taken to protect its network to avoid other unauthorized access. The investigation affirmed an unauthorized individual had gained access to its system from October 1, 2021 to October 4, 2021, and duplicated selected files from its network.
An assessment of the stolen data files showed they comprised the following types of information: Name, address, date of birth, sex, phone number, email address, driver’s license/state ID number, Social Security number, financial account number, payment card number, card CVV/expiration, routing number, diagnosis/treatment details, procedure type, provider name, prescription data, date of service, medical record number, patient account number, insurance group number, insurance ID number, insurance plan name, claim number, provider ID number, procedure code, treatment expense, and diagnosis code.
A final listing of persons affected by the breach was acquired on January 8, and breach notification letters were already issued. No cost credit monitoring and identity theft protection services were provided to impacted persons. The incident report was sent to the HHS’ Office for Civil Rights, however, it has not yet shown up on the breach website, thus it is currently uncertain how many persons were affected.