Share this article on:
JASACare, a New York-based home care services provider, has reported it has been attacked by hackers who managed to gain access to its email system. The attack is believed to have been conducted in order to steal money from corporate accounts by making fraudulent bank transfers. However, as a consequence of the breach of an employee’s email account, patient and employee data was potentially compromised.
The attack took place on January 29, 2016., with the breach lasting for under two hours. Rapid identification of the attack is believed to have severely limited the opportunity for any harm to be caused to employees and patients.
However, the possibility exists that data was viewed or copied by the attackers during the time they had access to the email account. JASACare has reported that no evidence has been uncovered to suggest that was the case, or that any data were actually downloaded by the attackers. As soon as the email system compromise was discovered, access was blocked by changing the password of the compromised account.
An analysis of the compromised email account revealed that 1,154 individuals had potentially been affected. The types of data potentially accessed by the attackers included names, addresses, phone numbers, dates of birth, health insurance information, Social Security numbers, and JASACare account balances. All patients and staff members affected by the security incident are in the process of being notified of the possible breach of their data. JASACare has also committed to provide all affected individuals with a year of credit monitoring services without charge.
It is not clear from the substitute breach notice on the company website how the attackers managed to obtain login credentials to access the email account. However, JASACare has reported that the incident has prompted a security review and additional protections will be put in place to prevent similar breaches from occurring in the future.