Posted On December 8, 2022 Consumer Privacy & Data Breaches
On December 6, 2022, Suncoast Skin Solutions filed notice of a data breach with the Attorney General of Maine after determining that an unauthorized party was able to access confidential patient information stored on the company’s computer system. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to patients’ names, dates of birth, Social Security numbers, clinical information, doctor’s notes, and other treatment information. After confirming that patient data was leaked, Suncoast began sending out data breach notification letters to all individuals who were impacted by the recent data security incident.
If you received a data breach notification, it is essential you understand what is at risk. The data breach lawyers at Console & Associates, P.C. are actively investigating the Suncoast data breach on behalf of people whose information was exposed. As a part of this investigation, we are providing free consultations to anyone affected by the breach who is interested in learning more about the risks of identity theft, what they can do to protect themselves, and what their legal options may be to obtain compensation from Suncoast Skin Solutions.
The available information regarding the Suncoast Skin Solutions breach comes from the company’s filing with the Maine Attorney General’s office. According to this source, on July 14, 2021, Suncoast Skin Solutions learned that some of the company’s computer systems had been encrypted by an unknown party. In response, Suncoast took steps to secure its computer systems and then began working with outside cybersecurity specialists in hopes of learning more about the nature and scope of the incident as well as whether any patient information was exposed.
The company’s preliminary investigation concluded on October 14, 2021, and confirmed that some files on the Suncoast network were accessed by an unauthorized party. However, Suncoast’s live Electronic Medical Record (“EMR”) system was not among the accessible files.
Upon discovering that sensitive consumer data was made available to an unauthorized party, Suncoast Skin Solutions began to review the affected files to determine what information was compromised and which consumers were impacted. The company completed the first stage of this process in November 2021; however, “due to the nature and size of the potentially impacted data, the data mining process” took an additional ten months, concluding in October 2022. While the breached information varies depending on the individual, it may include your name, date of birth, Social Security number, clinical information, doctor’s notes, and other treatment information.
On December 6, 2022, Suncoast Skin Solutions sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident. The Maine Attorney General reports that the Suncoast Skin Solutions data breach affected the sensitive information of 75,992 individuals.
Founded in 2008, Suncoast Skin Solutions is a dermatological practice based in Brandon, Florida. The company offers a wide range of dermatology services, with an emphasis on the prevention and treatment of skin cancer. The practice performs Mohs surgery, as well as other medical dermatological and non-medical dermatological services. Suncoast operates 18 offices across Florida, including in Brandon, Brooksville, Clearwater, Daytona Beach, Hudson, Largo, Lecanto, Leesburg, Lutz, Ocala, Palm Harbor, Punta Gorda, Riverview, Sarasota, Seminole, St. Petersburg, Tampa, and Winter Haven. Suncoast Skin Solutions employs more than 83 people and generates approximately $26 million in annual revenue.
The Suncoast data breach was first discovered in July 20021; however, as we approach the end of 2022, the company only recently filed notice of the breach with government entities. It is beyond question that Suncoast knew consumer data was leaked, so why wait to report the incident? Doesn’t waiting just give hackers time to use the sensitive patient information they stole from the company’s computer network?
Certainly, the answer to this question is “yes.” Hackers and other cybercriminals will try to use any information they obtain in a data breach as soon as possible to avoid giving consumers a chance to cancel their credit cards and alert potential lenders. Thus, by waiting to provide notice, a company gives hackers ample time to use the data for criminal purposes. However, there are some good reasons why companies do not announce a data breach immediately. Of course, there are also some not-so-good reasons.
One possible explanation for a delayed breach report is that the company did not realize it had been hacked until weeks or months after the incident. In these cases, there is little a business can do if it is unaware of a breach. Of course, those organizations with strong data security systems should be able to identify and contain a breach rather quickly. So, while companies can’t report a breach they are unaware of, that isn’t exactly a good excuse. Further, this does not seem to be the case with the Suncoast breach, as the company explains in its data breach letter that it was conducting an investigation shortly after the cyberattack.
Another reason why a data breach may not be reported immediately is that the company is cooperating with a law enforcement investigation. In some situations, law enforcement agencies ask businesses to wait to report a breach because doing so would alert the hackers that the breach has been detected and is under investigation. By not reporting the breach, it gives law enforcement time to investigate and potentially catch the criminals who orchestrated the attack.
Finally, a company may not immediately report a breach because it is in the process of reviewing the leaked data to see what exactly was exposed and which consumers were affected. Once a company learns of a data breach, it needs to review the compromised files, which can take time, especially in larger data breaches. Of course, a company should conduct an investigation with haste so as to not further delay notifying affected individuals. Moreover, there is nothing stopping a company from issuing a preliminary notice to all customers whose information may have been affected. Indeed, in the Suncoast data breach letter, the company notes that it posted notice on its website and in a “local media outlet.” However, whether this was sufficient to convey the importance of the incident to affected patients is an open question.
When a court hears a data breach lawsuit, one factor the court will consider is the efforts the company made to get all necessary information to victims in a timely manner. Thus, data breach lawyers frequently review companies’ investigative efforts to ensure they were timely and not just an excuse to delay notification.
At Console & Associates, P.C., our consumer privacy lawyers monitor all security and data breaches to help affected consumers pursue their legal remedies. We offer free consultations to victims of data breaches and can explain your rights in clear, understandable terms so you can make an informed decision about how to proceed with your case. If you’ve been affected by the Suncoast data breach or any other data security incident, Console & Associates, P.C., will investigate your case at no charge and offer you thorough advice about how to most effectively proceed with your case. If you decide to bring a case, we only get paid if you do. If your claim is successful, any legal fees are either paid by the defendant or come out of the funds recovered from the defendant. If your claim doesn’t result in a recovery, you will pay nothing.
To schedule your free consultation, just call (866) 778-5500 today or fill out our secure contact form.
Below is a copy of the initial data breach letter issued by Suncoast Skin Solutions (the actual notice sent to consumers can be found here):
Dear [Redacted],
Suncoast Skin Solutions (“Suncoast”) is writing to inform you of a recent data security incident that may have resulted in unauthorized access to your sensitive personal information. While we are unaware of any fraudulent misuse of your personal information at this time, we are providing you with details about the incident, steps we are taking in response, and resources available to help you protect against the potential misuse of your information.
What Happened?
On or around July 14, 2021, Suncoast detected unusual activity on its network. Upon discovery of this incident, Suncoast immediately disconnected all access to the network and promptly engaged a specialized third-party cybersecurity firm to assist with securing the environment, as well as, to conduct a comprehensive forensic investigation to determine the nature and scope of the incident. The forensic investigation, which concluded on October 14, 2021, found evidence that some of Suncoast’s files were accessed by an unauthorized actor. However, this did not include Suncoast’s live Electronic Medical Record (“EMR”) system. Suncoast then did a preliminary review of their systems that concluded on November 8, 2021, and confirmed legacy patient information was potentially impacted. Based on these findings, Suncoast performed data mining on the affected systems to identify the specific individuals and the types of information that may have been compromised. Due to the nature and size of the potentially impacted data, the data mining process occurred from December to October, 2022. During the investigation, Suncoast proceeded with Substitute Notice pursuant to HIPAA by January 7, 2022 by posting notice of this Incident on its website and in a local media outlet.
On November 28, 2022, Suncoast finalized the list of individuals to notify, followed by organizing the mailing, call center, and credit monitoring services for the impacted population. This process was necessary to provide accurate information and notice to the potentially impacted individuals.
What Information Was Involved?
Suncoast has no evidence that any sensitive information has been misused by third parties as a result of this incident. Based on the investigation, the following information related to you may have been subject to unauthorized access: Name, [Redacted]. Please note not all individuals had the same potentially impacted information.
What We Are Doing
Data privacy and security is among Suncoast’s highest priorities, and we are committed to doing everything we can to protect the privacy and security of the personal information in our care. Since the discovery of the incidents, Suncoast moved quickly to investigate, respond, and confirm the security of our systems. Specifically, Suncoast disconnected all access to its network, changed all employee credentials, added logon hour restrictions for all hourly employees, increased its password complexity, enhanced its security measures, and took steps and will continue to take steps to mitigate the risk of future harm.
In addition, we are offering identity theft protection services through IDX, the data breach and recovery services expert. IDX identity protection services include: [Redacted] months of credit and CyberScan monitoring, a $1,000,000 insurance reimbursement policy, and fully managed id theft recovery services. With this protection, IDX will help you resolve issues if your identity is compromised.
What You Can Do
We encourage you to remain vigilant against incidents of identity theft and fraud, to review your account statements, and to monitor your credit reports for suspicious or unauthorized activity. Additionally, security experts suggest that you contact your financial institution and all major credit bureaus to inform them of such a breach and then take whatever steps are recommended to protect your interests, including the possible placement of a fraud alert on your credit file. Please review the enclosed Steps You Can Take to Help Protect Your Information, to learn more about how to protect against the possibility of information misuse.
We encourage you to contact IDX with any questions and to enroll in the free identity protection services by calling 1-833-896-7334 or going to [Redacted] and using the Enrollment Code provided above. IDX representatives are available Monday through Friday from 9 am – 9 pm Eastern Time. Please note the deadline to enroll is March 6, 2023.
Again, at this time, there is no evidence that your information has been misused. However, we encourage you to take full advantage of this service offering. IDX representatives have been fully versed on the incident and can answer questions or concerns you may have regarding protection of your personal information.
For More Information
You will find detailed instructions for enrollment on the enclosed Recommended Steps document. Also, you will need to reference the enrollment code at the top of this letter when calling or enrolling online, so please do not discard this letter. If you have any questions or concerns not addressed in this letter, please call 1-833-896-7334 or go to [Redacted] for assistance.
Suncoast sincerely regrets any concern or inconvenience this matter may cause, and remains dedicated to ensuring the privacy and security of all information in our control.
