PHI of 3,253,822 Individuals Potentially Stolen and Deleted from 20/20 Hearing Care Network’s AWS Environment

The protected health information (PHI) of 3,253,822 current and former members of the 20/20 Hearing Care Network (20/20) has potentially been accessed and obtained by an unauthorized individual.

20/20 was alerted to a potential breach of its Amazon Web Services (AWS) cloud storage environment on January 11, 2021. Suspicious activity had been identified and the AWS environment was immediately secured; however, not in time to prevent files from being downloaded and the data stored in 20/20’s AWS S3 buckets from being deleted.

Third-party digital forensics experts were engaged to assist with the breach investigation and determine the extent and nature of the security breach. In late February, it was confirmed that the AWS S3 buckets had contained PHI, which may have been accessed and acquired by an unauthorized individual; however, it was not possible to determine which files had been downloaded.

The breach was reported to the Maine Attorney General as an insider wrongdoing incident, which suggests a current or former employee was responsible, although the purpose for attack and deletion of data has not been disclosed. 20/20 said the unauthorized individual had gained access to the S3 buckets, downloaded some data, and then deleted the entire contents of the S3 buckets.

The investigation confirmed that the S3 buckets included PHI such as members’ names, dates of birth, Social Security numbers, health insurance information, and member ID numbers. Notification letters started to be sent to all individuals potentially affected by the incident and 20/20 has said complimentary credit monitoring and identity theft protection services are being offered, although misuse of member data is not suspected.

20/20 has conducted a thorough review of its policies and procedures and changes have been made to prevent similar incidents in the future.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

This is the second largest U.S. healthcare data breach to be reported by a single HIPAA-covered entity so far in 2021, behind the 3.5 million record breach reported by Florida Healthy Kids Corporation in January 2021.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/