Cyber Incident Victim: Nonstop Health
Date:
Dec 2022
Location:
United States of America
Summary
Nonstop Health experienced a significant data breach involving the exposure of sensitive personal information, including names, dates of birth, addresses, Social Security numbers, and additional details such as phone numbers and employment data, alongside proprietary source code. The compromised data, affecting multiple clients, was leaked on hacking forums with varying reported impact scales across different notifications to state and federal authorities. Despite the leak's public disclosure, the organization's initial communications omitted references to the forum exposures, and repeated inquiries yielded limited substantive response regarding the breach's scope or mitigation efforts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In late December 2022, Nonstop Health, a health insurance provider serving employers with over 50 employees across Concord, California, and Portland, Oregon, experienced a data breach involving protected health information covered under business associate agreements. Between January 17 and 18, 2023, an unidentified threat actor leaked purported Nonstop Health data and source code on two prominent hacking forums. The personal information exposed included names, dates of birth, postal addresses with state and ZIP codes, personal email addresses, and Social Security numbers. A subset of records also contained cellphone numbers, employment statuses, job titles, and annual salaries. Forum samples indicated the data originated from multiple clients rather than a single source, with the full leak comprising 43,532 lines. Source code files initially surfaced on a Russian-language forum prior to broader dissemination. DataBreaches.net attempted to contact Nonstop Health repeatedly starting January 19 but received only automated acknowledgments promising responses within 24-48 hours, none of which materialized. The outlet also directly emailed three individuals identified in the leaked samples on January 29 and reached out to the forum poster on January 24 and 29 without eliciting replies. The breach’s entry vector, whether ransomware was involved, and any negotiation attempts remained unconfirmed due to Nonstop’s silence and the attacker’s unresponsiveness.
Nonstop Health began notifying regulators and affected parties in February 2023 but provided inconsistent impact disclosures across jurisdictions. On February 15, the company reported to Indiana authorities that 796 patients were impacted, though its notification letter omitted any reference to the January forum leaks already documented by researchers. In March, Nonstop submitted a breach report to the U.S. Department of Health and Human Services citing 8,571 affected patients without specifying the covered entities. That same month, it notified the Maine Attorney General’s Office on behalf of Mat-Su Health Services regarding 462 impacted patients. On May 26, Nonstop filed a separate notification with the California Attorney General’s Office concerning a breach affecting Eisner Health patients. The organization did not publicly clarify the relationship between these segmented disclosures and the forum leaks containing broader employee and beneficiary data. No statements confirmed whether affected clients or individuals received direct notifications about the exposure of their information in the January leaks.