Passavant Memorial Homes Family of Services notifies 25,000 after someone alerts them to vulnerability
I’ve just read a breach notification from an incident that was reported to HHS as impacting 25,000. Reading it, it sounds like someone tried to tip the entity that they had a vulnerability and the tipster provided proof. But then their investigation couldn’t definitively prove that no data had ever been accessed or exfiltrated or misused, so the entity decided that it was obligated to deal with this as a reportable breach under HIPAA. It’s still a good thing that someone alerted them.
October 14, 2020
Today, Passavant Memorial Homes Family of Services (“PMHFOS”), inclusive of Passavant Memorial Homes (“PMH”), PDC Pharmacy, Life Enrichment Trust (“LET”), Life Enrichment Trust of New Jersey (“LET NJ”), Accessible Dental Services (“ADS”), and Passavant Memorial Homes Foundation (“PMHF”), a not-for-profit human services organization providing a holistic array of supports for individuals with intellectual disabilities, autism, and behavioral health needs, announced an event that recently occurred pertaining to their computer network.
Specifically, on Saturday, August 15, 2020, through the “Contact Us” webpage of the PMHFOS website (www.pmhfos.org), a communication was sent to PMHFOS by an unauthorized user. The unauthorized user obtained the username and password of an authorized user, highlighting a potential vulnerability within the computer network. The unauthorized user claimed not to have taken malicious actions (such as infecting the system with malware) in light of the “activity” of PMHFOS, presumably referencing PMHFOS’ mission and provision of services to individuals with intellectual disabilities, autism, and behavioral health needs.
PMHFOS responded immediately to this event. On August 15, 2020, PMHFOS reported the communication to law enforcement authorities and PMHFOS’ cyber insurance carrier. Forensic investigators were hired immediately to determine what information, if any, may have been affected. Investigators quickly verified that no viruses or malware were left behind on the system, and that no data had been encrypted. Forensic experts also ran a “dark web” search for any information related to PMHFOS data for this event, and no information was found.
On September 3, 2020, the forensics team provided its initial report. The team was unable to confirm or rule out the possibility that individually identifiable information may have been accessed or removed from the PMHFOS network. In an abundance of caution, PMHFOS mailed written notice of this occurrence to all potentially impacted individuals, informing them of the possibility that personal information, which in some cases may be protected health information (“PHI”) subject to the Health Insurance Portability and Accountability Act (“HIPAA”), may have been compromised. If you feel you may have been affected but did not receive notice of this occurrence, we encourage you to reach out to the toll-free number provided below for more information. Also, we encourage that you maintain strong password practices for online and electronic accounts, changing these passwords on a regular basis, and not sharing passwords across platforms or with other persons. Additionally, we advise regularly practicing credit monitoring and reviewing your credit history frequently.
The forensic investigation is ongoing to determine what, if any, personal information was affected. In addition, PMHFOS has taken numerous steps to prevent future similar occurrences, including disabling the username and password of compromise, completing a system-wide password reset to enforce even stronger passwords, updating all software and hardware specific to network security, requiring additional network and security training, and investing in two-factor authentication technology.
PMHFOS is deeply committed to the provision of optimal supports and services for individuals with intellectual disabilities, autism, and behavioral health needs while maintaining the privacy and security of personal information. We sincerely regret that this incident occurred and apologize for any inconvenience caused. All subsequent communications will be available on the website: www.pmhfos.org. Any specific questions relating to this matter can also be addressed via our dedicated toll-free line: 1-833-752-0858.