Cyber Incident Victim: Link Audiology

On or around April 4, 2023, Link Audiology experienced a security incident involving the compromise of one of its email accounts. The unauthorized access to this account was the central point of the breach. The company became aware that the hacked email account contained a significant volume of sensitive information due to its use for communications. Specifically, the account was used for correspondence between the Link Audiology office and an external third-party company that had been contracted to handle billing matters. This third-party company was responsible for managing billing procedures directed at both insurance providers and patients of Link Audiology. The communications within the email account likely included details necessary for processing these billing transactions, which could encompass a range of personal and financial data points.

Following the discovery of this incident, Link Audiology undertook a response process that included an assessment to determine the scope and potential impact of the data exposure. The company determined that the contents of the breached email account could include protected health information and other personal data belonging to current and former patients of their practice. This assessment led to the decision to issue formal notifications to the individuals whose information may have been accessible to the unauthorized actor. The notification effort was comprehensive; letters were sent to every patient contained within the Link Audiology database as a precautionary measure. This action indicates the company opted for a broad notification strategy to ensure all potentially affected individuals were made aware of the situation, even if their specific data was not definitively confirmed to have been viewed or exfiltrated.

The notification letters began to be sent out to patients, informing them of the data breach and providing details on the nature of the incident. The letters explained that one of the company's email accounts had been hacked and outlined the types of information that may have been exposed through the account's communications with the billing contractor. As part of its regulatory obligations, Link Audiology formally notified two key federal agencies about the breach. The Department of Health and Human Services (HHS) was notified, which is a standard requirement for breaches involving protected health information under regulations like HIPAA. Additionally, the Federal Trade Commission (FTC) was also notified in accordance with standard reporting procedures for data security incidents.

Within the patient notification letter, Link Audiology provided guidance to individuals on steps they could consider taking to protect themselves from potential misuse of their information. This guidance included a recommendation for recipients to contact their financial institutions, specifically their banks, to place a fraud alert on their accounts. The company also advised patients to consider contacting one of the major credit bureaus to institute a fraud alert or credit monitoring service as a further protective step. The full text of this notification letter was made publicly available on the Link Audiology website, attached to a post dated May 9, 2023, which was authored by Evan Grolley, Au.D., the owner of the practice.

Concurrently with the external notification process, Link Audiology initiated internal response actions focused on securing its computer systems to prevent a recurrence of such an incident. The company stated that it made every effort to enhance the security posture of its digital infrastructure. This effort likely involved a review of access controls, password policies, and email security configurations. The implementation of additional security measures was aimed at fortifying the systems against future unauthorized access attempts. The breach was publicly disclosed on the company's website over a month after the incident date, with the post going live on May 9, 2023.

Public reaction to the breach notification manifested through comments on the website post. One patient, Patricia March, inquired on June 1, 2023, if the remediation efforts related to the data breach were negatively affecting the office's telephone service. She mentioned she was attempting to coordinate care with Kaiser Permanente for an MRI prior to ordering new hearing aids and sought assistance. Evan Grolley, Au.D., responded to this comment on July 29, 2023, clarifying that the office's phone system was not impacted by the data breach itself. He provided additional context, explaining that the practice was in the process of updating to a new phone system around the same time the breach occurred. This unrelated upgrade project encountered technical issues, including problems with dropped calls, but these issues were resolved by the company's IT provider and were not a consequence of the security incident or its containment activities.

The incident did not appear to extend beyond the initial email account compromise. Based on the available information, other systems such as the clinical management software, patient records databases, or the telephone system were not breached. The impact was contained to the data present within the single email account that was hacked. The primary consequences were the potential exposure of patient information shared via email with the billing contractor and the operational burden of responding to the incident. The response included patient notification, regulatory reporting, and system security enhancements. The company's public communications aimed to be transparent about the event while also distinguishing it from other unrelated technical difficulties the practice was experiencing concurrently. The breach serves as an example of a targeted attack on a communication channel that handled sensitive patient billing information, necessitating a comprehensive response to address potential patient risk and regulatory requirements.