Posted On December 30, 2022 Consumer Privacy & Data Breaches
December 30, 2022 – After a ransomware attack that exposed sensitive consumer information in their possession, FoundCare, Inc. filed notice of a data breach with the U.S. Department of Health and Human Services Office for Civil Rights on December 16, 2022. According to the filing, an unauthorized party gained access to patient information through employee email accounts. The information that was accessed was patients’ full names, dates of birth, passport numbers, addresses, Social Security numbers, protected health information, and financial account numbers, such as credit card numbers. Once confirmed that there was a consumer data leak, FoundCare sent out notification letters to all individuals affected by the data security breach.
The data breach lawyers at Console & Associates, P.C. are actively investigating the FoundCare data breach. If you have received a breach notification and are interested in learning about what you can do to protect yourself and if you are able to receive financial confirmation from FoundCare, we are offering free consultations where we can discuss your legal options.
FoundCare, Inc. is a community health center that has seven locations throughout Florida, including North Palm Beach, Belle Glade, Palm Springs, Boynton Beach, and three locations in West Palm Beach. Services provided by FoundCare include chronic disease management, dental care, pediatric medicine, women’s health services, and behavioral health. Originally founded in 1985 as the Comprehensive AIDS Program of Palm Beach County, Inc. in West Palm, FL, FoundCare now employs over 111 people and generates approximately $23 million in revenue annually.
According to its filing with the U.S. Department of Health and Human Services Office for Civil Rights and a notice posted to the company website, FoundCare noticed suspicious activity on September 2, 2022. The company determined that an unauthorized party had gained access to employee email accounts. The company does not reveal further details on how the incident came to be. FoundCare began working with a third-party cybersecurity company to investigate the breach and determine what information had been leaked.
The investigation was completed on October 18, 2022. After learning that the consumer data was exposed to a third party, FoundCare’s next step was to review the files and determine what information was made available. The types of information exposed were patients’ full names, dates of birth, passport numbers, addresses, Social Security numbers, protected health information, and financial account numbers, such as credit card numbers. While not consistent with each individual, any or all of the information listed may have been leaked due to the attack.
On December 16, 2022, FoundCare, Inc. sent out letters to all individuals whose sensitive information had been compromised. According to the U.S. Department of Health and Human Services Office for Civil Rights, 14,194 patients were affected by the breach.
If you receive a notice of a data breach from FoundCare, Inc., it means your personal information, including protected health information, was leaked to an unauthorized party. You might be wondering why it matters if someone has obtained your protected health information. What can they do with it?
Hackers will often obtain information about patients and sell it to a criminal looking for free health care. They can use that information to, essentially, steal your identity and receive medical treatment. That would leave you responsible for their medical bills. It can also lead to misinformation in medical records, such as lists of medications or medical history.
Only certain health information is considered protected. The Health Insurance Portability and Accountability Act of 1996, also known as HIPAA, identifies and controls all protected health information (PHI). According to its “Privacy Rule,” PHI is:
“All individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.”
There 18 identifiers that HIPAA considers protected, including:
The consumer privacy lawyers at Console & Associates, P.C. help customers affected by data and security breaches pursue legal solutions by offering free consultations. By explaining your rights in clear, concise terms, we help you make an informed decision about your next steps. If you are a victim of the FoundCare, Inc. data breach, Console & Associates, P.C. will investigate at no charge to you and offer advice on how to proceed. If you decide to pursue a case, rest assured that we don’t get paid unless you do. If your claim is successful, legal fees are either paid out of the funds recovered or by the defendant. If your claim is not successful, you pay nothing.
To schedule your free consultation, just call (866) 778-5500 today or fill out our secure contact form.
Below is a copy of the initial data breach letter issued by FoundCare, Inc. (here is the actual notice sent to consumers):
FoundCare, Inc. (“FoundCare”) experienced a data security incident that may involve the personal and protected health information of some individuals it serves. FoundCare takes the privacy and security of information in its possession very seriously and sincerely apologizes for any inconvenience this incident may cause. This notice is intended to alert potentially impacted individuals of the incident, steps we are taking in response, and resources available to assist and protect individuals.
What Happened: On or around September 2, 2022, FoundCare noticed suspicious activity in its email environment. In response, FoundCare engaged cybersecurity experts to conduct a thorough forensics investigation to determine the nature and scope of the suspicious activity. The investigation, which concluded on October 13, 2022, revealed that an unauthorized party gained access to a limited number of FoundCare email accounts and may have viewed personal data stored in those limited email accounts.
Based on these findings, FoundCare performed a review of all files and emails in the compromised email accounts to identify the specific individuals and the types of information that may have been compromised. On October 18, 2022, FoundCare determined the incident involved personal and protected health information.
Since then, FoundCare worked to identify the specific individuals impacted by the underlying incident in order to provide sufficient notice. FoundCare has no reason to believe that any individual’s information has been misused as a result of this event.
What Information Was Involved: While we have no reason to believe that information has been misused as a result of this incident, we are notifying individuals for purposes of full transparency. The types of information present in the limited number of compromised email accounts varied with each individual. Based on the investigation, the unauthorized party may have had access to: first and last name, address, email address, credit card number, social security numbers, date of birth, passport number, other unique identification number issued on a government document used to verify identity; medical condition, medical treatment; medical diagnosis; health insurance policy number; subscriber identification number; health plan beneficiary numbers; unique identifier used by FoundCare to identify the individual. The vast majority of individuals only had limited medical information impacted.
What We Are Doing: The security and privacy of individual’s information contained within FoundCare’s systems is a top priority, and FoundCare is taking additional measures to protect this information. Since the incident, FoundCare has continued to strengthen its security posture by adding the following security controls: Turning on Multi Factor Authentication (“MFA”) for all users of FoundCare.org; blocking all basic authentication methods for FoundCare.org users; turned on Outlook security feature which provides message stating: “You don’t often get email from [Redacted]” when receiving an email from a new address; reviewed all firewalls to ensure no unregulated access; continuous phishing awareness training to all staff.
In light of the incident, FoundCare is also offering complimentary credit monitoring and identity theft protection services to the potentially affected individuals. Notification letters will be sent to those impacted individuals with the information to enroll in the credit monitoring services. FoundCare strongly encourages all identified individuals to register for this free service.
What You Can Do: FoundCare encourages all individuals to remain vigilant against incidents of identity theft and fraud, to review their account statements, and to monitor their credit reports for suspicious or unauthorized activity. Additionally, individuals should contact their financial institution and all major credit bureaus to inform them of the incident and then take whatever steps are recommended by these institutions, which may include placing a fraud alert on the individual’s account.
For More Information: For individuals seeking more information or questions about this incident, please call FoundCare’s dedicated toll-free helpline at 1-833-520-2046 between the hours of 8:00 am to 8:00 pm Eastern Time, Monday through Friday.
Once again, FoundCare sincerely apologizes for any inconvenience this incident may cause, and remains dedicated to ensuring the privacy and security of all information in our control.