Cyber Incident Victim: Partners for Quality
Date:
Jan 2019
Location:
United States of America
Summary
Partners for Quality, a Pennsylvania-based agency serving individuals with intellectual and developmental disabilities, experienced a breach involving unauthorized access to three employee email accounts over a multi-week period. The compromised accounts contained sensitive client and employee information, including names, Social Security numbers, medical diagnoses, treatment details, financial account data, and login credentials. The organization discovered suspicious activity and engaged third-party investigators, ultimately notifying 3,673 affected clients. At the time of disclosure, there were no reported instances of information misuse, though the notification did not specify whether credit monitoring or identity protection services were offered to impacted individuals.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around January 19, 2019, unauthorized individuals gained access to three employee email accounts at Pennsylvania-based Partners for Quality (PFQ), a nonprofit agency providing services to children with intellectual and developmental disabilities. The organization discovered unusual activity in these accounts on February 19, 2019, prompting an investigation with third-party specialists. Forensic analysis confirmed the unauthorized access persisted until February 27, 2019, establishing a 39-day compromise window. The breach impacted PFQ's network of affiliated entities—Allegheny Children’s Initiative, Citizen Care, Lifeways, Inc. (operating as Exceptional Adventures), Milestone Centers, and Partners For Quality Foundation—though the notification did not specify whether all subsidiaries were equally affected. Investigators determined the compromised accounts contained protected health information and sensitive employee data, exposing clients and staff to potential identity theft or financial fraud.
PFQ formally notified 3,673 affected clients and the U.S. Department of Health and Human Services (HHS) about the breach on April 19, 2019, exactly two months after discovering the incident. The disclosed notification confirmed exposed personal information included names, dates of birth, Social Security numbers, medical record numbers, diagnosis/treatment details, billing/claims data, health insurance information, driver’s license numbers, passport details, banking/financial account numbers, credit/debit card information, PINs, and account credentials. Despite the sensitivity of the exposed data, PFQ’s public notification did not reference any offers of credit monitoring, identity protection services, or other mitigation assistance to affected individuals. The organization reported no instances of actual misuse related to the breach as of the April 19 disclosure date. PFQ published full details of the incident on their website but maintained operational silence regarding specific containment measures, forensic methodologies, or attacker attribution beyond confirming the email account intrusions.