United Seating and Mobility, operating as Numotion, reported a data breach involving unauthorized access to employee email accounts, exposing sensitive patient information.
Numotion discovered suspicious activity in its email accounts on September 6, 2024. A forensic investigation revealed that an unauthorized third party accessed certain employee email accounts between August 23 and September 6, 2024.
More specifically, these compromised emails contained sensitive patient information, including names, Social Security numbers, dates of birth, medical details, and financial data. The breach, affecting 2,319 individuals, was reported to the Department of Health and Human Services (HHS) and the affected individuals have been notified.
Furthermore, identity theft protection services are offered to those whose Social Security numbers were exposed.
The breach comes just months after Numotion faced a major ransomware attack earlier in the year. On March 2, 2024, the company discovered that unauthorized third parties had breached its computer systems and deployed ransomware. The attackers gained access between February 29 and March 2, 2024, exfiltrating protected health information (PHI), including names, birthdates, medical insurance details, and Social Security numbers.
The breach initially affected 4,190 individuals but later expanded to 602,265 individuals. Despite the severity of the breach, Numotion claims there was no known misuse of the compromised data.
Go deeper: Numotion data breach affected over 600,000 patients
The recent Numotion data security notice states, "To date, we have no reason to believe that any personal information has been misused for the purpose of committing fraud or identity theft…”
Email breaches remain a common attack vector in cyberattacks on healthcare organizations. These organizations must use a HIPAA compliant email solution, like Paubox, to protect PHI and prevent unauthorized access.
Paubox email offers advanced technical safeguards, including encryption and access controls, and access controls to help healthcare organizations reduce the probability of data breaches.
Learn more: HIPAA Compliant Email: The Definitive Guide
As a HIPAA-covered entity, Numotion must safeguard PHI. Using better proactive security measures after the initial ransomware attack could have helped the company better detect and prevent the second breach, ultimately safeguarding PHI and avoiding further harm.
Healthcare organizations must continually monitor and improve their cybersecurity. Moreover, using a HIPAA compliant email solution will reinforce email security and mitigate the risk of potential data breaches.
A breach occurs when an unauthorized party gains access, uses or discloses protected health information (PHI) without permission. Breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.
See also: How to respond to a data breach
If individuals suspect their data has been compromised, they must monitor their accounts for suspicious activity and report any unauthorized transactions immediately.
No, under U.S. law, consumers are entitled to a free credit report annually from each of the three major credit reporting bureaus, Equifax, Experian, and TransUnion. So, placing a fraud alert or credit freeze does not incur any costs.