Employee Health Plan Data Exposed in Forever 21 Data Breach
Fashion retailer Forever 21 has notified the Maine Attorney General of a data breach in which the health plan data of 539,207 current and former employees was exposed. Breach notification letters are being sent to everyone potentially affected by the breach. However, the letters reveal little about the nature of the attack or what specific data was exposed.
According to the notification published on the Maine Attorney General website, Forever 21 experienced an “external system breach” between January 5 and March 21, 2023. The nature of the information breached is “name or other personal identifier in combination with Social Security number”, and identity theft services are being offered to those potentially affected.
The notification also includes a link to the company’s breach notification letter to potentially affected individuals. The letter provides limited information about the nature of the attack or what specific data was exposed, stating that an unauthorized third party “accessed certain Forever 21 systems” and “obtained select files from certain Forever 21 systems”.
With regards to what these select files might have contained, the letter states, “the files involved contained some of your personal information, such as your name, Social Security number, date of birth, bank account number (without access code or pin), and information regarding your Forever21 health plan, including enrollment and premiums paid.”
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Letter Raises More Questions than Answers
Forever 21 notes in the breach notification letter that the company has taken steps to “help assure” the unauthorized third party no longer has access to the data, has not copied, retained, or further disclosed the data. This has led to speculation that Forever 21 paid a ransom to the unauthorized third party – which, historically, doesn’t “help assure” the data will not be further disclosed.
Additionally, although the notification letter includes details of the credit monitoring and identity theft services available to potentially affected individuals, there is no advice about obtaining a copy of PHI from individuals’ healthcare providers to ensure stolen data is not used to obtain healthcare or other health services (i.e., prescription drugs) in the individuals’ names.
This could mean that no Protected Health Information was exposed in the data breach, or that Forever 21 has omitted this important piece of advice for affected individuals. The latter is more likely if the data exposed in the external system breach included details of how the premiums were calculated or what payments had been made by the health plan for individuals’ treatments.
At the time of publication, Forever 21 has not reported the data breach to HHS’ Office for Civil Rights. However, as the date the breach was discovered on the Maine Attorney General website is entered as August 4, 2023, the company has until October 3, 2023, to notify the agency – if Protected Health Information was exposed and the external system breach qualifies as a HIPAA data breach.
