Intruder gained access via phishing attacks
A data breach at US healthcare provider Elara Caring has potentially exposed the personal details of more than 100,000 elderly patients.
The company, which provides home-based health services, suffered an unauthorized computer intrusion in December 2020 after a series of phishing attacks targeted employees.
The attack resulted in a potential 100,487 individuals having their data compromised, as reported to the US Department of Health and Human Services by parent company BW Homecare Holdings.
In a letter (PDF) addressed to victims, seen by The Daily Swig, Elara Caring confirmed what it described as an “isolated” security incident.
Potentially exposed datasets include patients’ name, date of birth, address, phone number, financial or bank account information, Social Security number, insurance information and account number, and driver’s license number.
“Elara has no evidence that personal information was downloaded, accessed or misused by the intruder,” the company said.
“The leading specialist assisting on this matter also confirmed that there was no evidence of malware, wire transactions, or unauthorized system access.”
According to Elara Caring, the unauthorized access lasted for at least five days.
The statement continues: “On December 9, 2020, a phishing email was sent from a known external entity to two Elara employees.
“The intruder then gained access to a limited number of Elara employee email accounts and sent additional phishing emails from two accounts.
“The period of unauthorized access extended from December 9-16. Elara learned of the unauthorized access on December 9, and promptly mitigated the incident, changing passwords and denying access to the intruder as accounts were identified.”
The incident was fully contained by December 16, reported Elara Caring. The FBI have been informed.
The healthcare provider said it forced an company-wide password change and implemented multifactor authentication for all users of its systems.
It also conducted “enhanced security training” for its personnel to “better detect and prevent phishing scams”.
Elara is offering a free two-year membership of Experian services to all affected individuals.