The Virginia-based medical equipment providers is now notifying impacted customers.
What happened
On December 30th, 2024, Tycon Medical Systems filed a notice of a data breach with the Attorney General of Massachusetts. The company also filed a notice with the Attorney General of Vermont.
According to the notice, Tycon discovered that an unauthorized user had accessed customer information in their possession. Tycon has now begun sending breach notification letters.
Going deeper
According to a sample breach notice, Tycon became aware of suspicious and disruptive activity on October 15th, 2024. Upon discovery, the equipment provider immediately began securing their network and investigating if sensitive data had been accessed or copied.
By October 17th, they knew that some data had been accessed. The investigation concluded on December 20th. Currently, Tycon has not explicitly stated how many individuals were impacted or what data was impacted. Typically, leaked data can include Social Security numbers, addresses, and contact information. In some cases, it can also include health and financial information.
In response, Tycon said they have “implemented several measures to enhance our security posture and reduce the risk of similar future incidents.” The company is also offering complimentary credit monitoring and identity theft protection services.
What’s next
Now, Tycon is being investigated by at least one law firm regarding a class action suit. For healthcare organizations, these lawsuits are becoming increasingly common and can cost companies hundreds of thousands of dollars. Most companies choose to settle rather than fight the cases in court.
Tycon has not yet filed a breach report with the Department of Health and Human Services. Healthcare organizations are mandated to file a report if the breach impacts over 500 individuals. If they need to file, they must do so within 60 days of discovering the breach. Currently, we don’t know the number of impacted individuals, but that information will likely be announced in the near future–especially if Tycon files the breach with the HHS. As of now, Tycon has also not released a statement on their website.
The big picture
In some cases, it can be difficult to determine the true impact of a data breach, especially without knowing the victim count or impacted data. While breach letters are important to send, it’s also vital that information can be found in additional places, like the website. Tycon may be unable to notify individuals if they do not have a valid address for them.
Any breach, no matter how big or small, can impact individuals, potentially leading to theft or fraud. Every organization has an obligation to protect data and ensure privacy is maintained.
Related: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
