Cyber Incident Victim: Lifespire Services
Date:
Jan 2022
Location:
United States of America
Summary
Lifespire Services experienced a cybersecurity incident involving unauthorized access to its systems, compromising sensitive consumer data including personal identifiers, financial details, and medical information such as Social Security numbers, bank account data, medical diagnoses, and insurance details. The breach impacted approximately 15,375 individuals receiving developmental disability support services across multiple New York locations. Following discovery, the organization suspended network access, initiated an investigation with cybersecurity experts, and notified affected parties and regulatory authorities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On February 8, 2022, Lifespire Services, Inc. discovered a cybersecurity incident affecting its computer systems. The organization immediately suspended network operations to prevent further unauthorized access and engaged a cybersecurity firm to investigate the breach. The investigation determined that an unauthorized party accessed certain files containing sensitive consumer information between January 14, 2022 and February 8, 2022. Lifespire conducted a comprehensive review of the compromised files to identify affected individuals and the specific data elements exposed. The analysis revealed unauthorized access to names, addresses, Social Security numbers, dates of birth, driver's license numbers, passport numbers, bank account information, credit card information, medical diagnosis and treatment details, Medicare numbers, Medicaid numbers, and health insurance information. The breach impacted 15,375 individuals who received services from the organization across its operational areas in New York City, Westchester, Ulster, and Greene County.
Lifespire Services formally notified the U.S. Department of Health and Human Services Office for Civil Rights about the breach on October 14, 2022, eight months after initial detection. The organization simultaneously mailed individualized data breach notification letters to all affected parties on that same date, detailing the compromised information categories and providing guidance on fraud prevention measures. As a provider of developmental disability services operating 82 locations with approximately 55 employees, the breach exposed highly sensitive medical and financial data of vulnerable populations. The incident prompted Lifespire to publish a "Notification of Data Security Incident" page on its website to supplement the formal communications. No technical specifics regarding attack vectors, threat actor identification, or system remediation measures were disclosed in the public filings or notifications beyond the containment action of network suspension during the investigation period.