Cyber Incident Victim: Telus Health

On or around May 29, 2023, an external system breach occurred at TELUS Health (US) Ltd., a commercial entity operating from 250 Royall Street, Suite 210W, in Canton, Massachusetts, with the zip code 02021. The unauthorized access to the company's systems continued into the following day, May 30, 2023. The incident was not discovered until nearly a month later, on June 22, 2023, indicating a period of approximately three weeks where the breach went undetected. The nature of the incident was identified as an external system breach, specifically attributed to hacking activities by an outside party. The breach resulted in the acquisition of sensitive personal information belonging to a total of 157 individuals. This affected population included two residents of the state of Maine.

The specific information acquired during the breach involved the name or another personal identifier of the affected individuals in combination with their Social Security Numbers. This type of data combination is classified as highly sensitive, as it can be used for identity theft and financial fraud. The compromise of Social Security Numbers presents a significant risk to the victims, as these identifiers are permanent and can be used to open new lines of credit, file fraudulent tax returns, or obtain government benefits in someone else's name. The exposure of this specific data type dictated the subsequent response and mitigation efforts undertaken by the company.

Upon discovery of the breach on June 22, 2023, TELUS Health (US) Ltd. engaged outside counsel to manage the incident response and notification process. The law firm of Baker & Hostetler LLP, specifically partner Lynn Sessions, was designated to act on behalf of the entity. Ms. Sessions, with a telephone number of 713-646-1352 and an email address of [email protected], served as the primary submitter for the breach notification to the Office of the Maine Attorney General. This engagement demonstrated a formalized response to the incident, utilizing external legal expertise to navigate the regulatory requirements associated with a data breach.

The company determined that written notification was the appropriate method for informing all affected individuals of the breach. These written notifications were dispatched to consumers on August 7, 2023. This date is over two months after the breach was discovered and more than two months after the initial intrusion occurred. The time elapsed between the discovery date and the consumer notification date suggests a period was dedicated to conducting an internal investigation to determine the full scope of the breach, identify all impacted individuals, and prepare the necessary communication materials.

As part of its response, TELUS Health (US) Ltd. offered identity theft protection services to all 157 affected individuals. The company provided these services through Kroll, a well-known provider of risk mitigation and response solutions. The services offered included comprehensive credit monitoring and identity theft protection. These services were offered for a duration of one year from the date of notification. The provision of such services is a common remedial action intended to help affected individuals monitor their financial accounts and personal information for signs of fraudulent activity following a data security incident. This offering was designed to help mitigate the potential harms stemming from the exposure of Social Security Numbers.

The breach notification was formally submitted to the Maine Attorney General's office, where it was listed under the category of Data Breach Notifications within the Consumer Protection division. The entity was classified as an "Other Commercial" type of organization. The filing confirmed that the total number of Maine residents affected was below the 1,000-person threshold that would have required additional notification to consumer reporting agencies. The submission included a copy of the notice sent to affected Maine residents, titled "TELUS_ME App & Sample.pdf," providing transparency into the communication received by consumers. The filing also noted that TELUS Health (US) Ltd. had not issued any previous breach notifications within the twelve months preceding this incident.

The impact of the breach was confined to a relatively limited number of individuals, with 157 persons affected in total. However, the sensitivity of the data involved elevated the seriousness of the incident despite the smaller scale. The consequences for the victims included an immediate and ongoing risk of identity theft due to the exposure of their names and Social Security Numbers. The company's response, led by its outside counsel, focused on regulatory compliance through official notification and on providing a tool for victims to protect themselves via the Kroll monitoring services. The technical specifics of the attack vector, the exact systems compromised, and the identity or motivation of the threat actors were not disclosed in the public notification. The recorded facts outline a clear chronology from the intrusion dates in late May to the discovery in late June and culminating in consumer notification and offering of protective services in early August. The incident represents a case where a focused cyber attack resulted in the extraction of highly sensitive personal data, triggering a structured response centered on legal compliance and victim support.