One email to expose them all: single user breach exposes data of 11K children


Attackers targeted Datavant, a health IT company, with a phishing attack. While few fell for the trick, it took only one compromised email to expose the sensitive records of thousands of minors.

There’s a reason attackers send waves of phishing emails – it only takes one good hit to take over vast amounts of data. This is exactly what happened to Datavant, a US-based tech firm that provides healthcare organizations with medical record processing services.

According to the company’s data breach notification letter, in early May of 2024, several Datavant users were targeted with an email phishing attack. While the company caught the intrusion on the same day, a subsequent investigation revealed that thousands were exposed.

ADVERTISEMENT
jurgita Ernestas Naprys Niamh Ancell BW Paulius Grinkevicius
Get our latest stories today on Google News

“[...] an unauthorized individual(s) gained access between May 8th, 2024, and May 9th, 2024 to certain Datavant data contained in a single user’s mailbox,” the letter reads.

Information submitted to the Maine Attorney General revealed that the breach, which likely stems from data kept in one of the users' email boxes, exposed over 11,000 thousand individuals. To make matters worse, the letter claims that the data belonged to minors.

The exposed information includes a trove of sensitive details, which should not be open to the public, including:

  • Names
  • Addresses
  • Contact details
  • Social Security numbers
  • Financial account information
  • Driver’s licenses
  • Passports
  • Health information

At least in theory, attackers could employ exposed details for targeted phishing attacks, identity fraud, and various scams, posing significant risks to the affected individuals.

Moreover, malicious actors can use medical details to commit medical identity theft, a type of fraud in which threat actors use stolen information to submit forged claims to Medicare and other health insurers.

While Datavant claims that the attack did not impact its systems or data storage, the company said it has strengthened its technical security safeguards and vouched to train employees in phishing awareness.

ADVERTISEMENT

As is typical with similar cases, the company also said it will provide “minor identity monitoring” and identity theft restoration services to impacted individuals free of charge for two years.

Datavant claims to work with 70,000 hospitals and clinics, enabling “60 million healthcare records to move between them.”