HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Maxim Healthcare Group Notifies 65,000 Individuals About October 2020 Email Breach

Columbia, MD-based Maxim Healthcare Group has started notifying 65,267 individuals about a historic breach of its email environment and the exposure of their protected health information.

Maxim Healthcare Group, which includes Maxim Healthcare Services and Maxim Healthcare Staffing, said it identified suspicious activity in its email environment on or around December 4, 2020. Steps were taken to prevent further unauthorized access and an investigation was launched to determine the nature and scope of the breach.

The investigation revealed unauthorized individuals had access to several employee email accounts between October 1, 2020, and December 4, 2020. A comprehensive review of those accounts revealed they contained a range of protected health information that was potentially accessed and exfiltrated. The forensic investigation was unable to determine which emails, if any, were accessed and exfiltrated.

Maxim Healthcare said a manual and programmatic review was conducted of the contents of emails and attachments, which confirmed the following data may have been compromised: names, addresses, dates of birth, contact information, medical histories, medical conditions, treatment information, medical record numbers, diagnosis codes, patient account numbers, Medicare/Medicaid numbers, usernames/passwords, and limited Social Security numbers.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Maxim Healthcare said it received the initial results of the content review on August 24, 2021, then had to locate up-to-date contact information for the affected individuals. That process was completed on September 21, 2021. It then took until November 4, 2021, for notifications to be issued to affected individuals, 13 months after the first email accounts were compromised and 11 months after the breach was detected.

Maxim Healthcare said it is offering complimentary credit monitoring services to affected individuals and steps have been taken to improve security. Maxim Healthcare said it immediately instituted additional security protocols, including multi-factor authentication for all email accounts, has transitioned to a new Security Operations Center with advanced detection and response capabilities, and will continuously integrate additional cybersecurity infrastructure and security measures as appropriate.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.