Contributed by Micki Boland, Cyber Security Expert and Evangelist, Check Point Software
Jun 03–The 20/20 Hearing Care Network has notified the Maine Attorney General of a protected health information (PHI) breach resulting in the data theft and deletion of 3,253,822 network member records including names, social security numbers, dates of birth, member ID numbers, and health insurance information. This breach now represents the largest PHI breach so far in 2021.
According to the HIPAA Journal, the 20/20 Hearing Care Network began notifying its affected members by mail around the 28th of May, 2021 and has offered free credit monitoring and identity protection.
The 20/20 Hearing Care Network PHI breach is attributed to unauthorized access and compromise of the network’s AWS cloud storage, specifically AWS S3 buckets, when suspicious activity was detected on the 11th of January, 2021. At that time, 20/20 Hearing Care Network notified the FBI and took steps to stop the unauthorized access on its S3 buckets. Further investigation by a third-party forensics firm confirmed that 20/20’s S3 buckets were accessed, data downloaded and subsequently deleted.
The PHI breach filing with the Maine Attorney General is classified the incident as “insider wrongdoing”. The PHI breach has not yet been added to the US Department of Health and Human Services’ breach portal. Notably, 20/20 Hearing Care Network maintains that it does not have reason to believe its member data has been misused. However, 20/20 Hearing Care Network is unsure of what data was actually stolen because the data was deleted. No further information has been provided.
20/20 Eye Care Network, Inc. is a managed vision care company in Florida that offers administrative services to health plans. 20/20 Hearing Care Network expands those services into hearing care.
Stay tuned for future updates.