Cyber Incident Victim: Council on Aging Southwestern Ohio
Date:
Jul 2021
Location:
United States of America
Summary
An employee email account at the Council on Aging of Southwestern Ohio was compromised by an unauthorized external entity, leading to potential access to a file containing protected health information. The breach was swiftly contained, and an investigation confirmed no evidence of actual misuse or compromise of personal data, though exposed details included names, birth dates, addresses, Medicaid numbers, diagnoses, treatment notes, and referral forms. The organization notified affected individuals, provided complimentary identity theft monitoring services, and initiated a review of its security protocols and HIPAA compliance while reporting the incident to regulatory authorities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 0 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On July 27, 2021, the Council on Aging of Southwestern Ohio (COA) detected unauthorized access to an employee’s email account by an unidentified external entity. The intrusion was identified and halted within minutes of its occurrence, with the compromised account promptly secured. COA initiated an immediate investigation to assess the scope and impact of the breach. The investigation revealed that a single file containing protected health information (PHI) had been accessed during the incident. This file potentially included client names, dates of birth, addresses, Medicaid identification numbers, diagnostic details, treatment notes, and referral or intake documentation. Social Security numbers were not present in the affected data. While the investigation found no evidence that any personal information or PHI had been actually viewed, extracted, misused, or otherwise compromised, COA proceeded with precautionary notifications due to the sensitive nature of the exposed data categories. The organization confirmed the incident was isolated to one email account and did not involve broader system infiltration or additional compromised accounts.
COA began notifying affected individuals by mail on September 24, 2021, within regulatory timeframes. The notification package included details about the incident, educational resources on identity theft prevention, and an offer of one-year complimentary membership to identity monitoring and resolution services. Concurrently, COA initiated an internal review of its Health Insurance Portability and Accountability Act (HIPAA) policies, procedures, and security protocols to evaluate potential enhancements. The organization reported the breach to the Department of Health and Human Services as required by federal health privacy regulations. COA established a dedicated phone line (800-252-0155) staffed by a Privacy Officer to address client inquiries. As a nonprofit Area Agency on Aging serving five Ohio counties, COA emphasized its ongoing commitment to client privacy while maintaining its core mission of supporting older adults and individuals with disabilities through community-based services. No operational disruptions to client services were reported as a consequence of the incident.