Cyber Incident Victim: Merritt Healthcare Advisors

Merritt Healthcare Advisors, a healthcare advisory firm based in Ridgefield, Connecticut, experienced a data breach involving unauthorized access to a single employee email account. The unauthorized access occurred over a 27-day period between July 30, 2022, and August 25, 2022. The breach was discovered on November 30, 2022, nearly three months after the initial intrusion window closed. The compromised email account contained sensitive data belonging to healthcare clients served by the advisory firm. While the notification did not specify exact data types beyond general references to client information, the scale of affected individuals reported to regulators indicated significant exposure across multiple client organizations.

The incident was reported to the California Attorney General as required by state breach notification laws. Notification letters to affected individuals were issued on February 28, 2023, approximately nine months after the initial unauthorized access period and three months following discovery. The breach was logged on the HHS Office for Civil Rights breach portal as affecting 77,258 individuals, making it a substantial healthcare-related data exposure. In response, Merritt Healthcare Advisors offered complimentary credit monitoring and identity theft protection services to impacted persons. The firm did not disclose technical details regarding the intrusion method, containment measures taken beyond securing the compromised account, or whether forensic analysis determined whether data was exfiltrated versus merely accessed. No information was provided regarding operational disruptions, financial impacts, or regulatory penalties resulting from the incident.