Multiple rehab units under the umbrella of Unity Recovery Group disclosed to partners personally identifiable details and health-related information belonging to their patients.
In April, it was discovered that Starting Point Detox, LLC, Lakeside Treatment Center, LLC, Changing Tides Transitional Living, LLC, and Unity Recovery Center, Inc. breached a hefty suite of policies regarding confidentiality and privacy of client data and IT security regulations.
Unity raises security standards
The circumstances of the incidents (recorded between April and March, this year) are unclear as the company does not mention if the leak was a result of technical issue or a human-related one; the number of affected patients remains undisclosed.
The information spilled to third-parties (recovery and/or rehabilitation service providers, unaffiliated with Unity) comprises names, addresses, dates of birth, email addresses, telephone numbers, social security numbers, insurance information, and/or certain health data.
At the moment there is no evidence that the details have been accessed or used for malicious purposes, the company says in a letter to the affected individuals, but the risk exists.
“To protect against future incidents, we have undertaken additional technological security measures and implemented additional training of our employees to ensure compliance with Unity’s Policies. We have also hired outside legal counsel to assist us with our investigation and Forensic Data Services, Inc., a technology forensics firm, to enhance the security of our IT systems,” Unity informs.
Fraud and scam potential is significant
The communication should have reached the persons impacted by the events via postal mail and further notifications may arrive if new developments emerge.
One of the most obvious risk associated with data breaches of this sort is identity theft, which can lead to financial loss in credit fraud operations. To lower the potential damage Unity offers one year of free identity and credit protection services.
Given the sensitivity of the details, cybercriminals can resort to other avenues to rob their victims, phishing being one method.
On the same note, the IRS released a notification this week about attackers gaining access to tax information of over 100,000 US citizens using SSNs, dates of birth and addresses collected from other breaches.