Communities Connected for Kids (CCK) is notifying 501 individuals that an unauthorized individual may have had access to their data for seven months following a successful hacking attack.
CCK, based in Port St. Lucie, Florida, was notified by one of its third-party vendors that an unauthorized individual may have gained access to the protected health information (PHI) of their child clients, their parents, and staff members.
In March 2019, the breach was discovered by the third-party vendor after suspicious activity was noticed on one of their databases which stored the confidential information. The vendor immediately took steps to mitigate the breach and contracted a computer forensics firm to help with the aftermath of the breach and the subsequent investigation.
The investigators discovered that the unauthorized party first gained access to the database in August 2018. The hacker had access to the information for 7 months, during which time they may have accessed, downloaded, exfiltrated, or altered the data.
The information exposed varied from individual to individual but may have included name, contact information, date of birth, Social Security number, financial information, family information, Medicaid number, medical record number, prescription information, health insurance information, and medical and clinical information such as diagnoses and treatment information.
Following HIPAA’s Breach Notification Rule, Health Quest submitted a breach report to the Department of Health and Human Services’ Office for Civil Rights. The report indicated that the breach affected 501 individuals. As the investigation continues, that number is likely to change. Once all individuals have been identified, notification letters will be sent.
As individuals affected by data breaches are at heightened risk of becoming victims of fraud, CCK has offered to provide affected individuals free identity theft protection services.
In their HIPAA Notice to Media Outlets posted on their website, CCK stated: ‘CCK takes the privacy and security of sensitive information within its care very seriously. In response to this incident, CCK took immediate steps to identify the issues that allowed unauthorized access to its databases to occur and is working hard to address them.’
CCK has set up a confidential assistance line that affected individuals can use to obtain more information on the breach. The Notice also includes guidelines that individuals can follow to protect their information in the aftermath of the incident better.