United Seating and Mobility, operating as Numotion, reported a data breach involving unauthorized access to employee email accounts, exposing sensitive patient information.
What happened
Numotion discovered suspicious activity in its email accounts on September 6, 2024. A forensic investigation revealed that an unauthorized third party accessed certain employee email accounts between August 23 and September 6, 2024.
More specifically, these compromised emails contained sensitive patient information, including names, Social Security numbers, dates of birth, medical details, and financial data. The breach, affecting 2,319 individuals, was reported to the Department of Health and Human Services (HHS) and the affected individuals have been notified.
Furthermore, identity theft protection services are offered to those whose Social Security numbers were exposed.
The backstory
The breach comes just months after Numotion faced a major ransomware attack earlier in the year. On March 2, 2024, the company discovered that unauthorized third parties had breached its computer systems and deployed ransomware. The attackers gained access between February 29 and March 2, 2024, exfiltrating protected health information (PHI), including names, birthdates, medical insurance details, and Social Security numbers.
The breach initially affected 4,190 individuals but later expanded to 602,265 individuals. Despite the severity of the breach, Numotion claims there was no known misuse of the compromised data.
Go deeper: Numotion data breach affected over 600,000 patients
What was said
The recent Numotion data security notice states, "To date, we have no reason to believe that any personal information has been misused for the purpose of committing fraud or identity theft…”
By the numbers
- 2,319 individuals were affected during the most recent email breach.
- The March ransomware attack impacted 602,265 individuals, although initial estimates said 4,190 were affected.
In the know
Email breaches remain a common attack vector in cyberattacks on healthcare organizations. These organizations must use a HIPAA compliant email solution, like Paubox, to protect PHI and prevent unauthorized access.
Paubox email offers advanced technical safeguards, including encryption and access controls, and access controls to help healthcare organizations reduce the probability of data breaches.
Learn more: HIPAA Compliant Email: The Definitive Guide
Why it matters
As a HIPAA-covered entity, Numotion must safeguard PHI. Using better proactive security measures after the initial ransomware attack could have helped the company better detect and prevent the second breach, ultimately safeguarding PHI and avoiding further harm.
The bottom line
Healthcare organizations must continually monitor and improve their cybersecurity. Moreover, using a HIPAA compliant email solution will reinforce email security and mitigate the risk of potential data breaches.
FAQs
What is a data breach?
A breach occurs when an unauthorized party gains access, uses or discloses protected health information (PHI) without permission. Breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.
See also: How to respond to a data breach
What should individuals do if their data has been compromised?
If individuals suspect their data has been compromised, they must monitor their accounts for suspicious activity and report any unauthorized transactions immediately.
Are there any costs associated with placing a fraud alert or credit freeze?
No, under U.S. law, consumers are entitled to a free credit report annually from each of the three major credit reporting bureaus, Equifax, Experian, and TransUnion. So, placing a fraud alert or credit freeze does not incur any costs.
