WV: Elkins Rehabilitation & Care Center notifies residents and employees of breach first discovered in February 2019
I know some people may think I’m being too harsh, but really — almost 1.5 years from detection to notifications to people of a breach? Their response in terms of preventing more incidents seems reasonable, but the gap to figure out that notification was needed and then whom to notify seems too long. What will HHS or the state attorney general of West Virginia do, if anything? Here is the ERCC’s press release/notice:
ELKINS — Elkins Rehabilitation & Care Center has become aware of a data security incident that may have resulted in unauthorized access to some resident and employee information.
At this time, there is no evidence of any attempted or actual misuse of any personal information. However, ERCC is notifying, via first-class mail, any resident and employee whose information may have been accessed in order to provide details of the incident, ERCC’s response to the incident, and provide resources to help protect any residents and employees in the event they were affected.
Continuing to maintain your trust is a top priority at ERCC, and ERCC sincerely apologizes for any inconvenience or concern this incident may cause.
In February of 2019, ERCC found evidence to suggest that a limited number of ERCC’s employee email accounts may have been inappropriately accessed. Upon discovery of this evidence, ERCC immediately notified its information technology team, who undertook an investigation and found evidence to suggest that malware infected several systems within ERCC’s computer network between Feb. 4, 2019, and Feb. 7, 2019.
ERCC’s information technology team quickly moved to clean the infection, reset all users’ passwords, and identify the malware variant. Once ERCC determined that the variant of malware had the ability to extract emails, ERCC proceeded to engage an e-discovery expert to review the contents of the affected email accounts.
On July 1, 2020, after a thorough and full search of the compromised accounts was completed, ERCC discovered that the affected email accounts may have contained information about some of its current and former residents and employees, including first and last names in combination with one or more of the following attributes: limited protected health information, Social Security numbers, and/or driver’s license numbers.
Once again, ERCC has no evidence of attempted or actual misuse of anyone’s information as a consequence of this incident. Nonetheless, ERCC is informing its residents and employees of this incident out of an abundance of caution.
In light of this incident, ERCC is offering complimentary identity theft restoration and credit monitoring services through Kroll to help protect any impacted current and/or former residents and employees for a certain period of time. ERCC encourages residents and employees who think their information may be at risk to call (844) 929-2285 Monday through Friday, 9 a.m. to 6:30 p.m., EDT.
ERCC takes the security of all information in its control seriously, and is taking steps to help prevent a similar event from occurring in the future. This includes but is not limited to (1) replacing the affected hard drives, (2) installing and updating anti-virus and anti-malware software on all ERCC computers, (3) providing ERCC staff with ongoing security awareness training, and (4) notifying government regulators where appropriate.
Once again, ERCC sincerely regrets any inconvenience or concern that this matter may cause and remains dedicated to ensuring the privacy and security of all information in its control.