20/20 Hearing Care Network Data Breach Impacts over 3.2 Million People

Following the discovery of suspicious activity on their databases, the 20/20 Hearing Care Network has begun contacting millions of current and former members to inform them that a portion of their protected health information (PHI) may have been compromised or deleted.

Suspicious activity was first discovered in its AWS cloud storage environment on January 11, 2021. The group moved swiftly to implement measures to address and to prevent additional  unauthorized access. Once this had been arranged an investigation was initiated in order to gauge the extent of the breach and who it may have impacted. An external group of forensics experts help with the review and deduced that S3 buckets hosted in AWS had been infiltrated, data in those buckets downloaded, and then all data in the S3 buckets was removed.

In late February the forensic investigation revealed that a range of the data downloaded and removed from the storage platform included PHI for some or all health plan members for whom records were held. While data theft was identified, it was not possible to determine exactly which data had been accessed or removed from the S3 buckets. The range of data that may have been obtained in the attack included names, Social Security numbers, dates of birth, member ID numbers, and health insurance details.

The group began issuing notification letters to all those that may have been impacted on the breach around May 28, 2021. Additionally, free credit monitoring and identity theft protection services has been offered to certain affected individuals as a precautionary step against improper use of member data.

The breach notice submitted by 20/20 revealed that, while data theft was identified, the group is not of the opinion that there has been any misuse of member data. The report submitted with the Maine Attorney General referred to the incident as ‘insider wrongdoing’. 20/20 completed an in-depth review of policies and processes after the breach. Due to this steps have been implemented to enhance security and prevent similar breaches going forward.

HHS’ Office for Civil Rights has been made aware of the breach and that it may have impacted approximately 3,253,822 people.

About Thomas Brown
Thomas Brown worked as a reporter for several years on ComplianceHome. Thomas a seasoned journalist with several years experience in the healthcare sector and has contributed to healthcare and information technology news publishers. Thomas has a particular interest in the application of healthcare information technology to better serve the interest of patients, including areas should has data protection and innovations such as telehealth.