The First Breach of 2024: Transformative Healthcare; Data Stolen from +900k Victims
Table of Contents
- By Steven
- Jan 02, 2024
Our first breach report of 2024 concerns Boston’s retired Fallon Ambulance Service (FAS). When operating, FAS was a medical transcription company serving emergency services and other affiliated companies. Transformative Healthcare (TH) oversaw FAS as a support component of their telephone services. TH absorbed FAS in December 2022 but retained patient data in compliance with their legal obligations. Months later, an unauthorized actor breached their data storage—compromising the information of 911,757 individuals.
How Did the Attack Occur?
Little is public about the attack, and even less is available about how it happened. According to the regulator notice at the Maine Attorney General’s Office, officials discovered suspicious activity in a data storage archive and immediately conferred with third-party specialists. It is unknown how the assailants made the attack possible. TH’s notice indicates they successfully secured the storage archive, but it is unclear whether it was a password, network, or security alteration.
What Information Was Viewed or Stolen?
The data stolen in this breach varies between individuals and their relationship with TH; stolen elements include names, addresses, COVID-19 testing and information, Social Security Numbers, information connected to FAS employment or applications, and other medical details. These exposures set the victims up for serious problems, from identity theft to medical fraud. No one knows when or how the assailants might misuse the data—they could trade a record or sell bulk data bundles; they could misuse it this weekend or years from now. Victims only have retroactive options; monitoring services, for example, cannot stop data misuse but mitigate its exacting emotional and financial consequences.
How Did Transformative Healthcare Admit to the Breach?
In December 2022, FAS stopped providing services and was closed. Two months later, around February 17th, 2023, suspicious activity appeared within the data storage. Around April 21st, officials discovered the activity and immediately responded, expelling the threat within 24 hours. TH’s investigations launched soon after; they concluded around December 27th, and officials began sending notices to consumers and state offices that day.
What Will Become of the Stolen Information?
The impact figure of this breach is estimated to be 911k; however, the overall consequences of the breach may be significant, mainly due to FAS’ relationships with affiliated transcription services. In 2023, medical transcription organization Perry Johnson & Associates (PJ&A) experienced a similar situation. Unlike FAS, PJ&A’s estimated impact was 1.2 million stolen records—a few weeks later, that figure exploded to 9 million. As history has indicated, the FAS breach may reappear. Due to this event, organizations that use FAS may have a higher risk for breaches and cyber threats.
What Should Affected Parties Do in the Aftermath of the Breach?
Although the breach happened potentially 11 months ago, victims can still mitigate the personal damages caused by the event. They’ll need to shop for an identity protective service. They’ll need a service that can alert professionals immediately to suspicious activities with accounts. They’ll need an Explanation of Benefits from their healthcare provider and a year-long itemized insurance statement. They’ll need to scrutinize both documents in comparison—if anything is off, they could have information or money at risk. Acting can help mitigate the consequential damages of this breach; it’s not a matter of if the cybercriminals misuse it, but when.