PHI of Employees Compromised in Cyberattack on Waste Management Firm

USA Waste-Management Resources, LLC has started notifying certain employees, former employees, and dependents covered by its self-administered health plan that some of their personal and protected health information (PHI) was compromised in a January 2021 cyberattack.

Waste-Management Resources said suspicious activity was detected in its IT systems on January 21, 2021. An investigation was launched and, assisted by third party computer forensics specialists, Waste-Management Resources confirmed that an unauthorized individual had accessed its systems between January 21 and January 23, 2021 and that certain files were accessed and stolen in the attack.

An extensive review was conducted to determine if any files stored on the compromised parts of its network contained any sensitive information. That process was completed on June 21, 2021.

The review confirmed the following types of information had been exposed and have potentially been compromised: Names, Social Security numbers, taxpayer identification numbers, government ID numbers, state ID numbers, driver’s license numbers, dates of birth, financial/bank account numbers, debit/credit card numbers, medical history/treatment information, health insurance information, passport numbers, and username/email address and passwords for financial electronic accounts. Waste-Management Resources said it was not possible to tell which files were actually exfiltrated in the attack.

Notification letters started to be sent to affected individuals on August 11, 2021. Waste-Management Resources said, “While the investigation remains ongoing, we are taking steps now to implement additional safeguards and review policies and procedures relating to data privacy and security.”

Affected individuals have been advised to monitor their financial accounts for any sign of misuse of their personal data, and to obtain a free credit report from one of the three major credit monitoring bureaus and to consider placing a free fraud alert or a credit freeze on their files.  It does not appear that credit monitoring and identity theft protection services are being offered, despite the extensive and highly sensitive nature of data potentially compromised in the attack.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.