Posted On January 26, 2022 Consumer Privacy & Data Breaches
January 26, 2022 – Last year, the American Osteopathic Association informed more than 27,000 individuals that their sensitive personal, identifying and financial information was compromised in a data breach occurring as a result of a system breach. In June 2020, the American Osteopathic Association learned that an unauthorized third party gained access to and removed several files from the Association’s servers. These files contained sensitive consumer information, including the full names, Social Security numbers and financial account information of the affected parties.
A data breach occurs when an unauthorized party—often a hacker or criminal—surreptitiously gains access to sensitive consumer information that is in the possession of a company or other organization. Often, these bad actors specifically target organizations that rely on inadequate data security measures. Hackers typically either use the information they obtain in a cyberattack to commit identity theft themselves or sell the data on the black market. While victims of a data breach may not immediately notice suspicious activity on their accounts, it is essential they take the necessary steps to protect themselves from identity theft and other potentially significant financial losses.
Anyone in receipt of an American Osteopathic Association data breach letter should proceed with caution. Since the beginning of the COVID-19 pandemic, the instances of identity theft have dramatically increased. In many of these cases, the party committing identify theft obtained the information needed to commit their crimes through a data breach.
If you recently received a data breach letter from the American Osteopathic Association, it is essential that you remain vigilant. Additionally, if evidence emerges that American Osteopathic Association mishandled your data leading or was negligent in how the Association cared for your information, you may be eligible for financial compensation through a data breach lawsuit.
When you trusted the American Osteopathic Association with your information, you hoped that the organization would take your privacy seriously. Certainly, you assumed that they would take all steps necessary to prevent your information from ending up in the hands of a potential criminal. However, this data breach raises serious questions about the Association’s data security measures.
Organizations like the American Osteopathic Association have an ethical and legal duty to protect consumers’ personal, identifying, financial and health information. While developing a robust data-privacy system requires companies to expend significant resources, this is merely a cost of doing business in an environment where cyberattacks are common. If an organization fails to protect consumers’ sensitive information, it may be liable through a data breach class action lawsuit. Of course, the laws surrounding data breach liability are complex, and there is not yet any indication that the American Osteopathic Association was negligent in how it handled consumer data. However, our data breach law firm is actively investigating the breach to determine the legal remedies affected parties may have against the American Osteopathic Association.
If you have questions about your ability to bring a class action lawsuit against the American Osteopathic Association, it is important that you reach out to a data breach attorney as soon as possible.
If you recently got a data breach notification from the American Osteopathic Association, an unauthorized person may have accessed, viewed, and retained your sensitive personal information. While no one can know why someone sought out your information and what they plan to do with it, given the risks involved, it is important you give the situation the seriousness it requires.
Below are a few ways to protect yourself from identity theft and the other possible financial risks data breaches such as this one present:
The American Osteopathic Association is a representative member organization for osteopathic medical doctors and medical students planning to go into the field of osteopathic medicine. The American Osteopathic Association is also the primary certifying body for doctors or osteopathic medicine as well as the accrediting agency for all osteopathic medical schools. The American Osteopathic Association represents more than 168,000 osteopathic physicians and medical students across the United States.
According to the most recent data breach letter released by the American Osteopathic Association (“AOA”), on June 25, 2020, the Association first noticed suspicious activity on some of its servers. In response, AOA worked with a third-party data-security firm to look into the incident. It was discovered that certain consumer data was removed from AOA servers. However, due to the burdens imposed by the COVID-19 pandemic, the Association did not discover the full list of affected parties until the following year. Eventually, the investigation revealed that the sensitive information of nearly 27,500 individuals was compromised. This data includes:
The American Osteopathic Association explains that there is no indication that the unauthorized third party used or intends to use the data obtained through the cyberattack. However, an investigation is ongoing. On July 1, 2021, the company sent data breach notifications to all affected parties, informing them of the breach and what they can do to protect themselves.
Below is a copy of the initial data breach letter issued by the American Osteopathic Association (a sample of the actual notice sent to consumers can be found here):
The American Osteopathic Association (“AOA”) is writing to notify you of a recent incident that may have impacted the security of your information. We want to provide you with information about the incident, our response, and steps you may take to better protect against possible misuse of your personal information, should you feel it necessary to do so.
What Happened? On June 25, 2020, AOA became aware of suspicious activity relating to certain systems. Upon discovery, AOA worked with third party forensic investigators to investigate the nature and scope of the activity, and the AOA systems of interest. We determined that certain information within our systems was exfiltrated from our systems by an unauthorized actor. In response, we conducted a deliberate and thorough assessment of the information impacted during this event and to whom that information pertained. Like many businesses, the COVID-19 pandemic presented considerable challenges to AOA’s normal business operations. As a result, it has taken an extended time for AOA to identify the names and addresses of impacted individuals due to the pandemic’s impact on our staff’s working conditions, and their inability to be on location to identify all potentially impacted parties. On June 1, 2021, we confirmed that information relating to you was impacted by this event. While we are unaware of any actual or attempted malicious use of your information as a result of this incident, we take the security of data we hold very seriously, and are notifying you out of an abundance of caution.
What Information Was Involved? The investigation determined that your <<b2b_text_1(data elements)>> were exfiltrated by an unauthorized actor.
What We Are Doing. The confidentiality, privacy, and security of personal information within our care is among AOA’s highest priorities. Upon learning of the event, we investigated to determine those individuals that were affected, and secured the compromised accounts. We have taken additional steps to improve security and better protect against similar incidents in the future. In an abundance of caution, we are also notifying potentially affected individuals, including you, so that you may take further steps to best protect your personal information, should you feel it is appropriate to do so. Although we are unaware of any actual or attempted misuse of your personal information as a result of this event, we arranged to have Kroll provide identity monitoring services for 12 months at no cost to you as an added precaution.