Sea Mar Community Health Centers in Washington state is a community-based organization that describes itself as being committed to providing quality and comprehensive health, human, housing, educational and cultural services to diverse communities, specializing in service to Latinos in Washington state.
On some exact date that is unknown to DataBreaches.net, threat actors gained access to Sea Mar’s network and exfiltrated what they claimed was 3 TB of data. The incident was posted on Marketo’s leaked data site in June. In Sea Mar’s case, Marketo claimed to have 201 bids for their data back in July.
As they did with all of their listings, Marketo uploaded a small proof of claims archive of files. It contained a few photos of identified pediatric dental patients. Each one held a sign with their name, date of birth, and date of photo. There were also a few insurance-related forms with patient information.
The proof pack appeared to be only files from 2013, and DataBreaches.net requested some proof of more recent data, but never really saw any, although Marketo claims that they had data that was as current as 2020.
Sea Mar did not respond to inquiries sent to it on June 24 about the attack and listing on Marketo. Nor did it respond to requests sent to it via its web site on July 21 and via Twitter DM on July 21 or a fourth request sent on July 28.
This week, Sea Mar issued a notice about the incident. Notice when Sea Mar said they were informed in the notice below. In their notice, they write:
On June 24, 2021, Sea Mar was informed that certain Sea Mar data had been copied from its digital environment by an unauthorized actor. Upon receipt of this information, Sea Mar immediately took steps to secure its environment and commenced an investigation to determine what happened and to identify the specific information that may have been impacted. In so doing, Sea Mar engaged leading, independent cybersecurity experts for assistance. As a result, Sea Mar learned that additional data may have been copied from its digital environment between December 2020 and March 2021. Sea Mar thereafter began collecting contact information needed to provide notice to potentially affected individuals, which was completed on August 30, 2021.
The data types involved included:
name, address, Social Security number, date of birth, client identification number, medical / vision / dental / orthodontic diagnostic and treatment information, medical / vision / dental insurance information, claims information, and / or images associated with dental treatment.
So protected health information was in the hands of criminals since last December, and people are first finding out now.
Sea Mar does not appear to be telling those notified that some data was dumped on the dark web and clearnet and other data was up for sale or bidding. Marketo’s site seems to be down at this time. If it reopens, will Sea Mar data be dumped or sold? And what will Sea Mar do then in terms of notification? This incident has not appeared on HHS’s breach tool by the time of this posting.
Updated Nov. 6, 2021: This incident showed up on the Maine Attorney General’s site as impacting 651,500. Their external counsel reported that the breach was discovered on August 30, 2021. Well, we know that’s not quite accurate if “discovered” means when they first learned there had been a breach of their system — that was already pretty clear in June and their letter to the state admits that they were informed on June 24 that data had been removed.
The incident has not yet shown up on HHS’s breach tool. Marketo’s leak site is online.