Cyber Incident Victim: Advocates Inc.

Advocates Inc., a Massachusetts-based nonprofit organization providing support services for individuals facing challenges such as addiction, autism, and mental health issues, experienced a cyberattack between September 14 and September 18, 2021. An unauthorized actor gained access to the organization's network and exfiltrated files containing sensitive personal and health information. The breach was discovered on October 1, 2021, when Advocates was notified about the unauthorized network access. The organization engaged a cybersecurity firm to investigate the incident, which confirmed data theft occurred during the four-day intrusion period. The compromised files included names, addresses, dates of birth, Social Security numbers, health insurance details, client ID numbers, diagnoses, and treatment information belonging to both patients and employees. Advocates delayed notification while working to verify impacted individuals and collect current contact information.

The incident affected 68,236 individuals according to the breach report submitted to the HHS Office for Civil Rights. Advocates reported the attack to the Federal Bureau of Investigation and regulatory authorities but stated no evidence of attempted or actual misuse of stolen data had been identified. As a precautionary measure, the organization offered complimentary credit monitoring and identity theft protection services to affected individuals. The cybersecurity investigation revealed no additional details about the attackers' identity or methods beyond characterizing the incident as a sophisticated cyberattack resulting in confirmed data theft. Advocates implemented notification procedures consistent with regulatory requirements after completing their internal review and verification process.