The 20/20 Hearing Care Network has begun informing millions of present and previous members regarding the potential compromise or deletion of some of their protected health information (PHI).
On January 11, 2021, the provider detected suspicious activity in its AWS cloud storage account and immediately took steps to stop the hacker from further accessing the account. An investigation was started to find out the nature and extent of the data breach. Third-party forensics specialists who helped investigate confirmed the unauthorized access of the S3 buckets hosted in AWS, the download of data in those buckets, and the deletion of all files in the S3 buckets.
The forensic investigators affirmed at the end of February that certain data that was downloaded and deleted from the AWS storage account contained the PHI of several or all health plan members. Although data theft was ascertained, it wasn’t possible to know accurately which data was accessed or deleted from the S3 buckets. The potentially obtained types of data included names, birth dates, Social Security numbers, member ID numbers, and medical insurance data.
Beginning on or approximately May 28, 2021, 20/20 Hearing Care Network sent notification letters to all people possibly impacted by the breach. As a safety measure against improper use of member data, a number of impacted persons were provided with free credit monitoring and identity theft protection services.
In a breach notice, 20/20 mentioned that although there was confirmed data theft, it is convinced there was no misuse of member information. The report submitted with the Maine Attorney General categorizes this breach as ‘insider wrongdoing’.
Right after the security breach, 20/20 performed a tougher review of guidelines and procedures and took steps to strengthen security to avoid the same breaches later on.
The breach report was filed with the Maine Attorney General as impacting around 3,253,822 people, making this one of the biggest healthcare data breaches to be uncovered this 2021.