On November 18, 2024, Amergis Healthcare Staffing, Inc., formerly Maxim Healthcare Staffing, filed a notice of data breach with the Attorney General of Maine, reporting unauthorized access to sensitive consumer information due to compromised email accounts.
What happened
Amergis Healthcare Staffing recently detected unauthorized activity within several company email accounts. After securing the accounts, the company enlisted third-party cybersecurity experts to investigate. The investigation revealed that an unauthorized party accessed 11,329 individuals’ confidential information.
Although the specifics of the data vary depending on the individual, compromised information includes individuals’ names, contact details, Social Security numbers, and protected health information (PHI).
On November 18, the company sent out data breach notification letters to affected individuals. While these letters provide specific details of the compromised data, the redacted version submitted to the Maine Attorney General leaves broader details unclear.
What was said
The Amergis breach letter states, “Please note that we have no evidence at this time that any of your information has been misused as a result of the incident.”
The organization also reassures affected individuals, stating, “We take this incident seriously and are committed to the strength of our cybersecurity to prevent a similar event from occurring in the future. We are also focused on continuous awareness training and assessment of our data security.”
In the know
Data breaches in the healthcare sector are particularly damaging because they often involve a combination of personal and medical information, leading to risks like identity theft, fraud, and privacy violations. Organizations are required by law to notify affected individuals promptly under state and federal regulations, like HIPAA’s Breach Notification Rule.
Under this Rule, covered entities (including healthcare organizations) must notify affected individuals “without unreasonable delay”, and within 60 days of discovering a breach involving PHI.
Why it matters
When employee email accounts are compromised, it exposes patients to identity theft and fraud. It also leaves organizations vulnerable to HIPAA violation fines, legal consequences, and reputational damage.
Related: HIPAA Compliant Email: The Definitive Guide
FAQs
What should individuals do if their data has been compromised?
If individuals suspect their data has been compromised, they must monitor their accounts for suspicious activity and report any unauthorized transactions immediately.
Who needs to comply with HIPAA?
HIPAA compliance is required for covered entities, such as healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates who handle protected health information (PHI).
How can providers make Google Workspace email HIPAA compliant?
Providers must use a Business or Enterprise plan, sign a business associate agreement (BAA) with Google, and use a HIPAA compliant platform, like Paubox, to protect patient information.
Go deeper: How to set up HIPAA compliant emails on Google
