Mystic Valley Elder Services (MVES) experienced a security incident earlier this year, resulting in the exposure of over 80,000 patients' data.
What happened
In early April, MVES, a Massachusetts-based non-profit providing health services to the elderly and people with disabilities, detected a data breach. An immediate investigation was launched, revealing over the following months that the attacker might have accessed files containing patient information.
By June, MVES began notifying affected individuals of the breach’s scope. The organization has further reported to Maine’s attorney general and the U.S. Department of Health and Human Services that about 87,000 individuals were affected.
What was said
In the notice of data privacy incident, MVES said, “The forensic investigation confirmed that the third party accessed MVES’ computer systems on April 5, 2024, and that certain files may have been acquired from MVES’ systems as part of the incident.”
Why it matters
The incident was a data exfiltration breach, where attackers gained access to MVES’s systems and potentially stole patient information. Breaches like these are already concerning, but they are especially so because they affect vulnerable populations. In this case, MVES could have avoided the breach had targeted cybersecurity measures like vulnerability assessments and endpoint detection and response systems been implemented.
Related: HIPAA Compliant Email: The Definitive Guide
FAQs
What is a data breach?
An incident where an unauthorized party gains access or steals sensitive information.
Why do organizations have to notify affected individuals?
Organizations must notify affected individuals so that they can be aware of the potential risks that could occur after the breach like identity theft.
What is the Breach Notification Rule?
It requires healthcare organizations covered by HIPAA notify individuals, the HHS, and sometimes the media when unsecured PHI is compromised.
Kirsten Peremore
