Cyber Incident Victim: PSL Services
Date:
Dec 2019
Location:
United States of America
Summary
A HIPAA-covered entity experienced a security incident involving unauthorized access to multiple employee email accounts over a multi-day period. The compromise potentially exposed sensitive personal and medical information, including names, addresses, dates of birth, Social Security numbers, driver’s license details, Maine Care identifiers, and health-related data. Following discovery of suspicious activity, the organization initiated an investigation with third-party forensic specialists to determine the incident's scope and identify affected individuals. Notification was provided to federal health authorities, state officials, and media outlets, with plans to directly inform impacted parties and offer identity protection services pending completion of the account review process. The entity also committed to reinforcing its security measures to prevent future occurrences.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On December 17, 2019, PSL Services, a Maine-based HIPAA-covered entity operating under Peregrine Corporation, discovered suspicious activity within an employee’s email account, prompting an immediate investigation. The inquiry, supported by a third-party forensic specialist, revealed unauthorized access to multiple employee email accounts between December 16 and December 19, 2019. The compromised accounts potentially contained sensitive personal and health information, though the full scope remained under review at the time of the February 15, 2020, public disclosure. Analysis confirmed the exposed data types included names, addresses, dates of birth, Social Security numbers, driver’s license numbers, medical information, and Maine Care numbers, with variability in impacted data per individual. PSL Services initiated a comprehensive audit of the affected email accounts to identify all individuals whose information was accessed, a process described as time-consuming due to the need to manually review account contents. The breach timeline indicated a four-day window of unauthorized access before detection and containment. No external threat actor or attack vector was specified in the disclosure, though the compromise centered on email account intrusions rather than broader network or system infiltration.
PSL Services notified the U.S. Department of Health and Human Services Office for Civil Rights, the Maine Attorney General’s office, and major Maine media outlets by February 15, 2020, fulfilling regulatory and state disclosure obligations. The entity committed to providing written notifications and complimentary identity protection services to all impacted individuals upon completion of its ongoing review. While the total number of affected individuals remained undisclosed in the available report, PSL Services emphasized implementing additional security safeguards and reevaluating existing measures to prevent recurrence. The public advisory urged vigilance but did not specify technical remediation steps taken beyond the forensic investigation. No ransomware, data extortion, or secondary misuse of information was cited in the disclosure. PSL Services planned continued coordination with authorities as the review progressed, prioritizing identification of affected parties and mitigation of potential harm from the exposed personally identifiable and protected health information.