Two Data Breaches at WA Senior Care Nonprofit Impact 103K
Washington-based senior care nonprofit Sound Generations experienced two data breaches that impacted over 103K individuals and potentially exposed PII.
Sound Generations, a nonprofit that provides food security, transportation, and health and wellness services to seniors and disabled adults in King County, Washington, experienced two data breaches that impacted a total of 103,576 individuals, according to the Office for Civil Rights (OCR) data breach portal. Sound Generations was identified as a business associate on the data breach portal.
An unauthorized party accessed Sound Generations’ computer systems and encrypted information on two separate occasions, once on July 18, 2021, and again on September 18, 2021.
“Sound Generations terminated the unauthorized access, and promptly commenced an investigation to determine the scope of the incidents,” the nonprofit stated in a notice on its website.
“The investigation was unable to rule out that information stored on Sound Generations’ systems may have been accessed by an unauthorized party.”
The exposed information may have included addresses, names, phone numbers, emails, and birth dates. For participants in the EnhanceFitness program, health insurance numbers and medical history information may have been exposed.
Sound Generations noted that it never collects or stores Social Security numbers, financial account information, driver’s license numbers, or credit and debit card numbers.
“After the conclusion of the third party’s forensics investigations, Sound Generations conducted its own investigation and due diligence to identify the affected individuals and the nature of their personal information that may have been compromised,” the statement continued.
“This investigation was necessary to provide accurate information and notice to the potentially impacted individuals. To date, Sound Generations has no reason to believe that there was a misuse of the information pertaining to the potentially impacted individuals.”
It is unclear whether Sound Generations discovered both the July and September breaches at the same time.
The nonprofit recommended that impacted individuals remain vigilant for incidents of fraud and identity theft and notify financial institutions if they suspect unauthorized account activity. Sound Generations also provided information on how to request a copy of a deceased family member’s credit report.
“Sound Generations values the privacy of its client information and will continue to do everything it can to protect it,” the statement assured.
“Since the incidents, Sound Generations has greatly enhanced its cybersecurity controls, including changing passwords and installing additional security on its systems.”
This year’s healthcare data breaches impacted a collective 40 million individuals and exposed significant amounts of protected health information (PHI). Despite increased investments and focus on cybersecurity across the healthcare sector, threat actors are still successfully orchestrating sophisticated cyberattacks.
It is no longer sufficient to just implement technical and administrative safeguards. Putting incident response plans into practice through regular discussions and simulations can help organizations use these safeguards to their advantage.
“Some companies may just develop a plan and then make it available on the intranet or maybe email it around, and then that's the last time they mention it. It just goes into a drawer and doesn't really serve a useful purpose,” Nathan Salminen, senior associate at Hogan Lovells, previously told HealthITSecurity.
“Companies that conduct a tabletop exercise where they're bringing in stakeholders from a lot of different groups and practicing working through an incident tend to react better.”