Posted On October 10, 2022 Consumer Privacy & Data Breaches
On October 6, 2022, Eventus WholeHealth, PLLC (“Eventus”) filed notice of a data breach with the Attorney General of Montana after an unauthorized individual gained access to an employee’s email account containing sensitive consumer information. While the company has yet to release the specific data that was leaked as a result of the data security incident, based on state data breach reporting requirements, it likely involved one or more of the following: Social Security numbers, financial account information or protected health information. After confirming that consumer data was leaked, Eventus began sending out data breach notification letters to all individuals who were impacted by the recent data security incident.
If you received a data breach notification, it is essential you understand what is at risk. The data breach lawyers at Console & Associates, P.C. are actively investigating the Eventus data breach on behalf of people whose information was exposed. As a part of this investigation, we are providing free consultations to anyone affected by the breach who is interested in learning more about the risks of identity theft, what they can do to protect themselves, and what their legal options may be to obtain compensation from Eventus WholeHealth, PLLC.
The available information regarding the Eventus WholeHealth breach comes from the company’s filing with the Attorney General of Montana. According to this source, on June 1, 2022, Eventus detected suspicious activity pertaining to an employee email account. In response, the company terminated all unauthorized access to the account and retained the services of an outside cybersecurity firm to assist with the company’s investigation.
As a result of the Eventus investigation, on August 17, 2022, the company confirmed that an unauthorized party had gained access to the employee’s email account, as well as the personal and sensitive information of certain individuals contained in emails and attachments.
Upon discovering that sensitive consumer data was made available to an unauthorized party, Eventus WholeHealth began to review the affected files to determine what information was compromised and which consumers were impacted. Eventus has not yet released the specific data types that were subject to unauthorized access. However, under the Montana data breach reporting requirements, companies only need to report a breach if it involves one or more of the following:
On October 6, 2022, Eventus WholeHealth sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.
Eventus WholeHealth, PLLC is a healthcare provider based in Concord, North Carolina, that was formed as a result of a merger between OnsiteCare, Extended Care Specialist, and DoctorsMakingHouseCalls. Eventus WholeHealth provides primary care and mental health services to medically vulnerable adults residing in post-acute care facilities, assisted living, and independent living communities. Eventus WholeHealth employs more than 311 people and generates approximately $13 million in annual revenue.
In the notice provided to those whose information was leaked, Eventus WholeHealth, PLLC explains that the data breach resulted from an unauthorized party gaining access to an employee’s email account. While hackers have a few different ways to get ahold of an employee’s email login credentials, most email-based cyber attacks involve “phishing.”
In fact, according to the Identity Theft Resource Center, phishing made up 33% of all cyberattacks in 2021, making them the most common type of cyberattack. In large part, this is because phishing attacks are one of the easiest attacks for hackers to carry out and have an incredibly high success rate. For example, in 2021, U.S. employees received an average of 14 malicious emails per year. However, some employees in certain industries received more than four times that number.
Phishing is a type of cyberattack where a hacker sends a fraudulent email to an employee of a company. In the email, the hacker uses principles of social engineering to trick an employee into either giving the hacker their login credentials or clicking on a malicious link. If the employee provides the hacker with their email login credentials, this enables the hacker to access any information contained in the employee’s email account. And, if the employee clicks on a malicious link, doing so may install malware on their computer, which is commonly the approach used in ransomware attacks. Either way, sensitive consumer information ends up in the hands of cybercriminals.
Of course, phishing emails are designed to look official, and hackers are adept at making these fake emails look very real. For example, hackers may use the correct company logo and use a very official-sounding email address. These emails look so official that many employees are duped into doing exactly as the hackers want. In fact, in 2021, 86% of companies reported having at least one employee click a phishing link.
At Console & Associates, P.C., our consumer privacy lawyers monitor all security and data breaches to help affected consumers pursue their legal remedies. We offer free consultations to victims of data breaches and can explain your rights in clear, understandable terms so you can make an informed decision about how to proceed with your case. If you’ve been affected by the Eventus data breach or any other data security incident, Console & Associates, P.C., will investigate your case at no charge and offer you thorough advice about how to most effectively proceed with your case. If you decide to bring a case, we only get paid if you do. If your claim is successful, any legal fees are either paid by the defendant or come out of the funds recovered from the defendant. If your claim doesn’t result in a recovery, you will pay nothing.
To schedule your free consultation, just call (866) 778-5500 today or fill out our secure contact form.
Below is a copy of the initial data breach letter issued by Eventus WholeHealth, PLLC (the actual notice sent to consumers can be found here):
Eventus WholeHealth, PLLC (“Eventus”) is committed to the privacy of individuals and takes the protection of personal information that is entrusted to it seriously. Unfortunately, we are writing to make you aware of a recent data security incident that may have involved some of your personal information.
What Happened. On June 1, 2022, we observed suspicious activity associated with a single Eventus email account, despite multi factor authentication on the account. We immediately terminated all access to the account and launched an investigation to determine whether the account contained any sensitive personal information. On August 17, 2022, the investigation determined that an unauthorized individual gained access to the account and may have had access to certain personal information. Please note that we have no evidence that the unauthorized third party actually viewed any of your information, but because we cannot prove that they did not, we are required by law to provide you with this notice.
What We Are Doing. Upon learning of the situation, we promptly began an internal investigation and contained the incident by securing the account to prevent further access. We also hired a leading forensic and security firm to further investigate the incident and confirm the security of our computer systems and network. We have been notifying individuals on an ongoing basis as we worked to identify individuals with information in the account. We are committed to taking steps to help prevent something like this from happening again.
Although we are not aware of any instances of fraud or identity theft involving your information, we are offering you a complimentary one-year membership of Experian IdentityWorksSM Credit 3B. This product helps detect possible misuse of your personal information and provides you with identity protection services focused on immediate identification and resolution of identity theft. IdentityWorksSM Credit 3B is completely free to you and enrolling in this program will not hurt your credit score. For more information on identity theft prevention and IdentityWorksSM Credit 3B, including instructions on how to activate your complimentary, one-year membership, please see the additional information attached to this letter.
What Information Was Involved. While we did not see any evidence to suggest that the unauthorized individual gained access to the account to view personal information, in an abundance of caution, we reviewed the entire email account for personal information. On September 6, 2022, our investigation confirmed that the account contained your name, [Redacted].
What You Can Do. You can find more information on steps to protect yourself against identity theft or fraud, including the tips provided by the FTC on fraud alerts, security/credit freezes, and steps you can take to avoid identity theft, in the enclosed Additional Important Information sheet. We also recommend that you enroll in the complimentary credit monitoring services that are being offered to you.
For More Information. For further information and assistance, please call [Redacted] Monday through Friday from 8:00 a.m. to 5:30 p.m. Central Time, excluding major U.S. holidays.
We value the trust you place in us and take our responsibility to safeguard your personal information seriously. We apologize for any inconvenience this incident might cause.