Background of CPA HIPAA Breach
According to a notice updated on the firm’s website on January 17, 2022, there was unusual activity detected on the company network on September 14, 2021. The discovery prompted an unspecified response by the firm and an investigation.
On October 13, 2021, preliminary findings revealed that hackers accessed and potentially copied information in network folders between September 9-14, 2021. Further investigations determined that these folders contained names and Social Security numbers.
Some files also included information about ambulance trip(s), including date and tracking numbers, service level, payor type(s) and category, mileage information, charge/payment information, billing review information, and remittance advice details which may have included medical information.
Under HIPAA regulations, this CPA HIPAA breach likely contained PHI. If so, FML is required to notify affected individuals in writing within 60 days of the breach. The HIPAA Breach Notification Rule also requires reporting any breach that affects 500 or more individuals to the HHS Secretary and local media outlets within 60 days of discovery.
This breach of HIPAA regulated information may be part of a more significant breach that affected nearly 54,000 individuals. A filing with the Office of the Maine Attorney General reported that FML notified consumers on November 24, 2021, of a hacking incident that covered the same time with the same date of discovery.