Following the discovery of suspicious activity on their databases, the 20/20 Hearing Care Network has begun contacting millions of current and former members to inform them that a portion of their protected health information (PHI) may have been compromised or deleted.
Suspicious activity was first discovered in its AWS cloud storage environment on January 11, 2021. The group moved swiftly to implement measures to address and to prevent additional unauthorized access. Once this had been arranged an investigation was initiated in order to gauge the extent of the breach and who it may have impacted. An external group of forensics experts help with the review and deduced that S3 buckets hosted in AWS had been infiltrated, data in those buckets downloaded, and then all data in the S3 buckets was removed.
In late February the forensic investigation revealed that a range of the data downloaded and removed from the storage platform included PHI for some or all health plan members for whom records were held. While data theft was identified, it was not possible to determine exactly which data had been accessed or removed from the S3 buckets. The range of data that may have been obtained in the attack included names, Social Security numbers, dates of birth, member ID numbers, and health insurance details.
The group began issuing notification letters to all those that may have been impacted on the breach around May 28, 2021. Additionally, free credit monitoring and identity theft protection services has been offered to certain affected individuals as a precautionary step against improper use of member data.
The breach notice submitted by 20/20 revealed that, while data theft was identified, the group is not of the opinion that there has been any misuse of member data. The report submitted with the Maine Attorney General referred to the incident as ‘insider wrongdoing’. 20/20 completed an in-depth review of policies and processes after the breach. Due to this steps have been implemented to enhance security and prevent similar breaches going forward.
HHS’ Office for Civil Rights has been made aware of the breach and that it may have impacted approximately 3,253,822 people.