PHI of 3,253,822 Individuals Potentially Stolen and Deleted from 20/20 Hearing Care Network’s AWS Environment

The protected health information (PHI) of 3,253,822 current and former members of the 20/20 Hearing Care Network (20/20) has potentially been accessed and obtained by an unauthorized individual.

20/20 was alerted to a potential breach of its Amazon Web Services (AWS) cloud storage environment on January 11, 2021. Suspicious activity had been identified and the AWS environment was immediately secured; however, not in time to prevent files from being downloaded and the data stored in 20/20’s AWS S3 buckets from being deleted.

Third-party digital forensics experts were engaged to assist with the breach investigation and determine the extent and nature of the security breach. In late February, it was confirmed that the AWS S3 buckets had contained PHI, which may have been accessed and acquired by an unauthorized individual; however, it was not possible to determine which files had been downloaded.

The breach was reported to the Maine Attorney General as an insider wrongdoing incident, which suggests a current or former employee was responsible, although the purpose for attack and deletion of data has not been disclosed. 20/20 said the unauthorized individual had gained access to the S3 buckets, downloaded some data, and then deleted the entire contents of the S3 buckets.

The investigation confirmed that the S3 buckets included PHI such as members’ names, dates of birth, Social Security numbers, health insurance information, and member ID numbers. Notification letters started to be sent to all individuals potentially affected by the incident and 20/20 has said complimentary credit monitoring and identity theft protection services are being offered, although misuse of member data is not suspected.

20/20 has conducted a thorough review of its policies and procedures and changes have been made to prevent similar incidents in the future.

This is the second largest U.S. healthcare data breach to be reported by a single HIPAA-covered entity so far in 2021, behind the 3.5 million record breach reported by Florida Healthy Kids Corporation in January 2021.