Cyber Incident Victim: Eversana

The EVERSANA data breach occurred between April 1 and July 3, 2019, when unauthorized actors accessed protected health information and other sensitive data through a legacy technology environment. The global healthcare commercial services provider discovered the incident after being alerted to unusual email activity, though the exact notification method (internal detection versus external report) remains unspecified in available disclosures. Upon identifying the suspicious activity, EVERSANA initiated a comprehensive investigation that concluded approximately ten months later on February 7, 2020. During this period, the company secured the compromised legacy system by implementing unspecified updates to the technology environment. The breach duration of over three months indicates sustained unauthorized access before containment measures were completed.

The investigation confirmed potential exposure of extensive personal and medical information, including names, addresses, Social Security numbers, driver's licenses, passport numbers, financial account details, medical record numbers, health insurance information, treatment diagnoses, prescription data, and Medicare/Medicaid identifiers. While EVERSANA stated they found no evidence of actual or attempted misuse of the compromised data, the breadth of exposed information created significant risk for identity theft and medical fraud. The notification did not disclose the number of affected patients or whether the incident qualified as a HIPAA breach requiring reporting to HHS/OCR. External inquiries regarding the discovery timeline, patient impact statistics, and regulatory status as a business associate remained unanswered at the time of public disclosure in April 2020. The company's public statement focused on remediation of the legacy system without detailing specific attacker methodologies or operational disruptions caused by the breach.