Cyber Incident Victim: Bay Area Children's Association

On May 5, 2016, the Bay Area Children’s Association reported a data breach to the California Attorney General involving unauthorized access to patient information. The compromise occurred after cyber intruders planted malware on the systems of the association’s electronic medical record provider. Investigators determined that attackers used stolen credentials to gain access to these systems in January 2015, establishing a foothold that persisted undetected for over a year. The association was notified on April 1, 2016, that unauthorized individuals had acquired patient records during this period. Exposed information included names, addresses, telephone numbers, dates of birth, Social Security numbers, medical insurance details, and health visit histories for patients who had provided such data to the association. Despite forensic efforts, the organization could not definitively identify which specific individuals were impacted due to insufficient confidence in the analysis. No evidence of fraudulent misuse of the stolen data had been identified at the time of reporting.

In response to the breach, the Bay Area Children’s Association issued a Notice of Data Breach dated May 6, 2016, to all potentially affected individuals. This notice advised recipients to place 90-day fraud alerts with major credit bureaus given the sensitive nature of the exposed data. The association offered 12 months of complimentary credit monitoring services to breach victims as remediation. Law enforcement agencies including the Federal Bureau of Investigation, U.S. Secret Service, and U.S. Attorney’s Office were formally notified of the incident to support investigative efforts. The malware intrusion vector through a third-party medical records provider underscored systemic vulnerabilities in supply chain security. Patient data remained at risk for 15 months between the initial January 2015 compromise and the April 2016 discovery notification.