CareATC email accounts accessed by unauthorized persons
Share this article on:
CareATC, a population health management company based in Tulsa, OK, discovered that two employees’ email accounts were accessed by unauthorized individuals, who potentially gained access to patients’ and employees’ personal information. .
CareATC launched an investigation on June 29, 2021 when suspicious activity was detected in an employee’s email account. Third-party forensic specialists have been engaged to assist in the investigation and determine the extent and scope of the security breach. This investigation revealed that a second email account had also been compromised, with both email accounts having been subject to unauthorized access between June 18 and June 29, 2021.
Upon discovery of the compromised email accounts, steps were taken to block further unauthorized access, and a full review was performed to determine what patient data had been exposed. The review was completed around August 11, 2021.
For the majority of those affected – which include patients, employees and dependents of patients and employees – the information in the compromised email accounts was limited to names and dates of birth. Other individuals also had one or more of the following data elements exposed in addition to their name: social security number, driver’s license number, date of birth, financial account information, medical history and treatment information, health insurance information, passport number, American Alien Registration Number, electronic/digital signature, username and password.
Notifications have now been sent to data subjects for whom valid postal addresses have been maintained. CareATC has worked with third-party cybersecurity specialists to improve email security, and steps have already been taken to strengthen the security of its email system. CareATC also said employees have received additional email security training.
The breach summary on the Department of Health and Human Services’ Office of Civil Rights Violations Portal indicates that 98,774 patients were affected by the breach.