Cyber Incident Victim: Legacy Post Acute Care

Legacy Post Acute Care, based in California, experienced a data breach involving unauthorized access to several employee email accounts over a period spanning from January 19 to March 3, 2022. The organization discovered this incident in September 2022, indicating a delayed detection timeline of approximately six months following the initial intrusion. The compromised email accounts contained sensitive patient information, including names, Social Security numbers, treatment details, health insurance information, financial data, prescription records, and patient account or medical record numbers. No evidence suggested that the unauthorized party had engaged in identity fraud or misuse of the accessed information as of the notification date. The organization did not disclose the exact number of affected individuals or the method by which the email accounts were compromised.

Upon discovery, Legacy Post Acute Care initiated response measures focused on securing systems and reinforcing data protection protocols. The organization emphasized its commitment to privacy safeguards through existing precautions and stated intentions to continually evaluate and modify internal controls to enhance security. While specific technical containment steps were not detailed, the breach notice highlighted ongoing efforts to strengthen policies against similar incidents. No credit monitoring or identity theft protection services were mentioned as being offered to affected patients, contrasting with other contemporaneous breach responses in the healthcare sector. The incident timeline revealed a two-month unauthorized access period followed by a six-month gap between breach termination and discovery, though investigation durations and forensic methodologies remained unspecified in available disclosures.