Data Breaches at Receivables Performance Management and Acuity Brands

Acuity Brands based in Georgia and Receivables Performance Management based in Washington recently announced data breaches. The latter’s data breach has impacted over 3.7 million persons.

Receivables Performance Management

Receivables Performance Management (RPM) in Lynnwood, WA, a business associate of a few HIPAA-covered entities, has just commenced informing folks affected by a 2021 ransomware attack. RPM detected the attack on May 12, 2021 and its investigation affirmed the first breach of its network on April 8, 2021. Nevertheless, file encryption just began on May 12.

RPM stated it was able to block the attack and recover its systems in just 36 hours and got a computer forensics agency to look into the breach and find out the nature and extent of the attack; nevertheless, the types of data and people impacted were identified only on October 2, 2022. RPM mentioned that the long duration of investigating the attack was a result of the infrastructure complexities of RPM’s server. RPM stated it got confirmation that the information is not under the control of the third party(ies) connected to this incident.

RPM mentioned personal data was likely exposed, which include Social Security numbers. Impacted persons are being given free credit monitoring services. RPM stated it is working together with security professionals to strengthen its defenses to stop the same breaches down the road. At this point, the number of individuals affected by the breach is not yet certain. The breach report sent to the Maine Attorney general reveals a total of 3,766,573 people were impacted, with roughly 500,000 of those persons living in Texas. The breach is not yet published on the HHS’ Office for Civil Rights breach website.

Acuity Brands Data Breach

Lighting and building management company Acuity Brands based in Georgia reported that unauthorized persons got access to its system from December 7 to December 8, 2021, and extracted a number of files. During the breach investigation, Acuity Brands identified a prior security breach that happened from October 6 to October 7, 2020, and in that prior incident, unauthorized persons had tried to duplicate the files from its database.

An analysis of all files possibly accessed in the two incidents revealed that the files held the data of present and past health plan members and workers. The incident only affected the data of employees. No client data was exposed.

The two incidents prompted the exposure and potential theft of files comprising names, driver’s license numbers, Social Security numbers, financial account details, and some medical health data associated with other facets of a person’s occupation with Acuity, for example, injury data associated with employees compensation claims, or associated with leave requests covered in the Family and Medical Leave Act. The kinds of data involved differed from one person to another. Free memberships to credit monitoring services are being provided to qualified persons. Extra safety measures were enforced to avoid even more data breaches.

The incidents are not yet posted on the HHS’ Office for Civil Rights breach website, therefore it is presently uncertain how many persons were impacted.