Population health management firm CareATC based in Tulsa, OK, has learned that unauthorized people have accessed the email accounts of two workers and possibly acquired access to the personal data of patients and workers.
CareATC started an investigation on June 29, 2021 upon detecting suspicious activity in the email account of a worker. Third-party forensics professionals assisted with the breach investigation to find out the magnitude and scope of the security incident. According to the investigation results, there was a second email account exposed. Unauthorized access to the two email accounts occurred from June 18 to June 29, 2021.
When CareATC discovered the compromised email accounts, it has taken steps to prohibit any more unauthorized access and conducted a detailed review to identify which patient information was exposed. The assessment was finished on August 11, 2021.
For most of the impacted persons – including patients, workers, and dependents of patients and workers – the data in the breached email accounts only included names and birth dates. Other people additionally had at least one of these data elements exposed: driver’s license number, Social Security number, birth date, financial account data, medical history, and treatment data, medical insurance data, US Alien Registration number, passport number, digital/electronic signature, and username and password.
Notices have already been delivered to impacted people for whom valid mailing addresses were kept. CareATC together with third-party cybersecurity professionals is improving email security. The provider also took steps to reinforce its email system security. CareATC additionally stated workers received extra training on email security.
The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicated that the breach affected 98,774 patients.