A major data breach has occurred at Wisconsin-based Forefront Dermatology. The protected health information of 2.4 million employees and patients across 21 states and Washington D.C. has been exposed.
The data breach was detected by Forefront Dermatology in June 2021. An unauthorized individual had gained access to Forefront Dermatology’s IT system and accessed certain files containing the personal and protected health information of employees and current and former patients.
Forefront Dermatology explained in its substitute breach notification letter that the unauthorized access was immediately blocked, and an investigation was launched to determine the nature and scope of the breach. The investigation confirmed that its IT systems had been breached on May 28, 2021, and access remained possible until June 4, 2021 when the breach was detected and unauthorized access was blocked. The intrusion was reported promptly to law enforcement.
The investigation revealed the threat actor(s) behind the cyberattack accessed certain files relating to employees and patients. Those files potentially included information such as names, addresses, dates of birth, account numbers, health insurance plan member ID numbers, medical record numbers, dates of service, accession numbers, provider names, and/or medical and clinical treatment information. No evidence was found to indicate highly sensitive data such as Social Security numbers, financial account information, or driver’s license numbers were compromised.
“While the investigation found evidence that only a small number of patients’ information was specifically involved, Forefront Dermatology could not rule out the possibility that files containing other patients’ information may have been subject to unauthorized access,” said Forefront Dermatology in a statement about the breach.
Affected individuals have been notified by mail and have been advised to remain vigilant for signs of identity theft and fraud and should carefully monitor their financial account and explanation of benefits statements for signs of any potentially fraudulent activity. Forefront Dermatology said it will be taking steps to enhance its security protocols to prevent further intrusions and data breaches.
The breach was reported to the Department of Health and Human Services’ Office for Civil Rights as affecting a maximum of 2,413,553 individuals.