Arizona Asthma and Allergy Institute Provides Notice of Maze Attack in 2020
An incident initially reported to HHS on May 3 has been updated to 70,372 patients from the initial report of 50,000. The following is the entity’s notice on their web site, and after you read it, I’ll meet you on the other side to explain it more, because they only discovered the breach when DataBreaches.net contacted them.
10/1/2015 – 6/15/2020
Arizona Asthma and Allergy Institute Provides Notification of Data Security Incident
Peoria, AZ – Arizona Asthma and Allergy Institute (“Institute”) announced today a data security incident that may have impacted limited protected health information belonging to Institute patients. The Institute takes the privacy and security of all information very seriously.
The Institute learned that certain data made publicly available under the name of a different organization for a brief period in September 2020, and may have included Institute data. Upon discovery, the Institute immediately began investigating, with the assistance of a third-party forensic security firm, to determine the scope of this incident. Based on this investigation, the Institute confirmed on March 8, 2021, that the available data included limited information related to Institute patients that received services between October 1, 2015 and June 15, 2020.
The personal information available included individuals’ first and last name in combination with their patient identification number, provider name, health insurance information, and treatment cost information. It is important to note that the Institute has no evidence to suggest that any personal information has been misused. Nonetheless, out of an abundance of caution, the Institute is providing notice to those affected individuals. The notices include information about this incident and about steps that potentially impacted individuals can take to monitor and help protect their information. The Institute takes the security of all information very seriously and has taken steps to enhance security measures to help prevent a similar occurrence in the future.
The Institute recommends that individuals remain vigilant in regularly reviewing and monitoring their explanation of benefits statements to guard against any unauthorized transactions or activity. The Institute has established a dedicated assistance line to address any questions individuals may have which can be reached at 855-654-0915, Monday through Friday, 7 a.m. to 7 p.m. Mountain Time. The Institute may also be contacted by mail at 13965 N 75th Ave, Peoria, AZ 85381.
Some additional details on this incident from DataBreaches.net’s files:
This incident was actually a ransomware attack by Maze threat actors that was posted to their dedicated leak site in 2020 as belonging to “Medical Management Inc.” or “MedMan.com.” The exact date it was first posted is not known to DataBreaches.net, but it was up longer than just a “brief period in September,” because in November, this site wrote again to medman.com to inquire about it. Then in January, when DataBreaches.net wrote an article about “Without Undue Delay,” an astute reader reached out to alert me that “MedMan” was the wrong attribution and that the data appeared to come from Arizona Asthma & Allergy Institute. And so on January 5, 2021, DataBreaches.net reached out to them.
They responded promptly, and DataBreaches.net provided them with a copy of the data dump that consisted of about 270 mb (compressed) of billing and insurance claims data, including EDI. The data dumps had been available on both Maze’s dark web and clear net leak sites.
So it appears that Arizona Asthma & Allergy had not detected any breach of their system in 2020 until DataBreaches.net contacted them in January, 2021 but then they pursued their investigation and notified HHS and patients.
Maze closed up shop months ago. But who wound up with their data and what is being done with it? The fact that the dump from Arizona Asthma & Allergy Institute is no longer available on Maze’s leak site is not any real reassurance that it is still not at some level of risk, although the data types do not readily lend themselves to some kinds of misuse.