Catholic Charities breach exposed data for at least two years
In late August, personnel at Catholic Charities’ Glens Falls office in New York were conducing security upgrades when they discovered unauthorized software on a server. The organization engaged a forensic analysis vendor which determined that the server may have been accessible by hackers since 2015.
Now, about 4,600 individuals are being notified of the breach and will receive one year of identity theft protection and credit monitoring services. Epiq is the vendor assisting with these services.
The Glens Falls office of Catholic Charities annually aids more than 5,000 people with such services as family counseling, nutrition domestic violence support, as well as a community home for the terminally ill and emergency assistance. Affected individuals live in Saratoga, Warren and Washington counties.
Compromised information included patient names, addresses, dates of birth, dates of services, diagnostic codes and some health insurance identification numbers that may have included Social Security numbers. The affected server did not include treatment case notes or financial or banking information.
In an announcement, Catholic Charities said there is no indication that personal information was actually accessed, stolen or disseminated. “Our mission is to help people in need, and as we do this work every day, we are always mindful of our responsibility to protect the information they share with us,” says Sister Charla Commins, executive director of Catholic Charities in the affected counties. “We have modern digital security measures in place, but every day it seems criminals intent on invading computer systems find new ways to do so.”
"The big lesson that we want people to know is that this kind of thing can happen to anybody, even a small non-profit," says Paul McAvoy, director of marketing and communication. "And, because the server contained protected health information that dictated how we reported the breach to the affected people and in the media per New York State and HIPAA requirements."