Posted On October 25, 2022 Consumer Privacy & Data Breaches
On October 21, 2022, Phoenix Programs of Florida, Inc. filed notice of a data breach with the Massachusetts Attorney General after the company confirmed that an unauthorized party had gained access to various employee email accounts. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ names; Social Security numbers; driver’s license numbers; dates of birth; credit/debit card numbers, expiration dates and CVV/security codes; digitized or electronic signatures; Client IDs. The breach also impacted individuals’ protected health information, including that related to medical history, health conditions, treatments, diagnoses, and health insurance information. After confirming that consumer data was leaked, Phoenix House Florida began sending out data breach notification letters to all individuals who were impacted by the recent data security incident.
If you received a data breach notification, it is essential you understand what is at risk. The data breach lawyers at Console & Associates, P.C. are actively investigating the Phoenix House Florida data breach on behalf of people whose information was exposed. As a part of this investigation, we are providing free consultations to anyone affected by the breach who is interested in learning more about the risks of identity theft, what they can do to protect themselves, and what their legal options may be to obtain compensation from Phoenix Programs of Florida, Inc.
The available information regarding the Phoenix Programs of Florida breach comes from the company’s filing with the Massachusetts Attorney General, as well as a notice posted on the company’s website. According to these sources, the Phoenix House of Florida recently learned that an unauthorized party gained access to certain organizational email accounts between the dates of July 13, 2021 and November 1, 2021.
In response, Phoenix House Florida reset all email login credentials and enlisted the help of a third-party data security firm to investigate the incident. The investigation confirmed that an unauthorized party had access to employee email accounts and could not rule out that the unauthorized party viewed or removed information from those accounts. It was also determined that the email accounts contained sensitive information pertaining to certain individuals.
Upon discovering that sensitive consumer data was made available to an unauthorized party, Phoenix Programs of Florida began to review the affected files to determine what information was compromised and which consumers were impacted. While the breached information varies depending on the individual, it may include your name; Social Security number; driver’s license number; date of birth; credit or debit card number, card expiration date, and card CVV/security code; digitized or electronic signature; Client ID; information regarding medical history, condition, treatment, or diagnosis; and health insurance information.
Starting on October 19, 2022, Phoenix Programs of Florida sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.
Phoenix Programs of Florida, Inc. is a nonprofit drug and alcohol rehabilitation with centers throughout the United States. Phoenix House Florida is based in Brandon, Florida. Phoenix House as a whole employs more than 2,700 people and generates approximately $101 million in annual revenue.
Phoenix Programs of Florida explains in its data breach letter that the recently announced breach was the result of an unauthorized party gaining access to certain employee email accounts. While the company provided some details about what led to the incident, one fact the company did not discuss is how the unauthorized party was able to obtain access to the affected email account.
There are a few ways that hackers can access employee email accounts. However, most email-based cyber attacks involve an email phishing attack.
Phishing is a type of cyberattack in which a hacker sends an email from a seemingly legitimate source in hopes of obtaining an employee’s login credentials or otherwise gaining access to an organization’s computer network. Phishing emails are designed to look official; for example, they may contain the actual company logo and will most likely originate from an almost identical domain name. In the body of the email, the hacker uses principles of social engineering principles to “trick” the employee into giving them the information they need to access the employee’s email account. Hackers may do this by notifying an employee that they need to perform routine maintenance, reset their password, or some other task that requires them to provide their login credentials.
Most often, hackers request the employee’s login credentials or include a malicious link that, when clicked, takes the employee to an unrelated website. On the website, the employee is asked to either verify their information or download a file. In some cases, hackers will attach malicious files to the phishing email. If the employee installs the malware on their computer, this gives the hacker access to the company’s IT network.
Phishing emails are incredibly common. In fact, according to the Identity Theft Resource Center, in 2021, a third of all cyberattacks involved phishing. Companies can prevent phishing attacks, however, by training employees to be on the lookout for these fraudulent emails.
At Console & Associates, P.C., our consumer privacy lawyers monitor all security and data breaches to help affected consumers pursue their legal remedies. We offer free consultations to victims of data breaches and can explain your rights in clear, understandable terms so you can make an informed decision about how to proceed with your case. If you’ve been affected by the Phoenix House Florida data breach or any other data security incident, Console & Associates, P.C., will investigate your case at no charge and offer you thorough advice about how to most effectively proceed with your case. If you decide to bring a case, we only get paid if you do. If your claim is successful, any legal fees are either paid by the defendant or come out of the funds recovered from the defendant. If your claim doesn’t result in a recovery, you will pay nothing.
Below is a copy of the initial data breach letter issued by Phoenix Programs of Florida, Inc. (the actual notice sent to consumers can be found here):
Phoenix Programs of Florida (“Phoenix House Florida” or “we”) recently learned that an unauthorized third party accessed certain Phoenix House Florida email accounts at various times between July 13, 2021 and November 1, 2021. While Phoenix House Florida is not aware of any fraudulent activity or misuse of information as a result of the incident, it is posting this Notice to alert you of what happened.
Upon learning of this incident, Phoenix House Florida promptly reset the credentials of the involved email accounts and engaged a leading forensic security firm to investigate the incident. The investigation identified no indication that the unauthorized third party actually viewed or acquired any personal information while accessing the accounts. Nevertheless, as part of the investigation, an intensive search for any personal information in the email accounts that the unauthorized third party could have viewed was undertaken. On September 2, 2022, Phoenix House Florida determined that the accounts contained some individuals’ personal information. The type of information at issue varied for each individual, but may have included the following: name; Social Security number; driver’s license number; date of birth; credit/debit card number, card expiration date, and card CVV/security code; digitized or electronic signature; Client ID; information regarding medical history, condition, treatment, or diagnosis; and health insurance information.
On October 19, 2022, Phoenix House Florida began sending written notification to the individuals whose personal information was contained in the accounts and for whom it has contact information. Individuals should refer to the notice they will receive in the mail regarding steps they can take to protect themselves. As described in those letters, Phoenix House Florida has arranged for complimentary identity theft protection services for those individuals whose Social Security numbers or driver’s license numbers were involved in the incident.
As a precautionary measure, involved individuals should remain vigilant to protect against potential fraud and/or identity theft by, among other things, reviewing their account statements, monitoring their credit reports closely, and notifying their financial institutions if unusual activity is detected. They should also promptly report any fraudulent activity or suspected identity theft to proper law enforcement authorities, including the police and their state’s attorney general. Affected individuals may also wish to review the tips provided by the Federal Trade Commission (“FTC”) on fraud alerts, security/credit freezes and steps that they can take to avoid identity theft. For more information and to contact the FTC, please visit [Redacted] or call 1-877-ID-THEFT (1-877-438-4338). Affected individuals may also contact the FTC at: Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, DC 20580.