Cyber Incident Victim: Commonwealth Care Alliance of California
Date:
May 2022
Location:
United States of America
Summary
Commonwealth Care Alliance of California experienced a cybersecurity incident where an unauthorized party accessed its network over several months, compromising sensitive consumer data including names, Social Security numbers, dates of birth, government-issued IDs, medical diagnoses, treatment details, prescription information, and health insurance data. The organization detected system disruptions, secured its infrastructure, engaged law enforcement and external cybersecurity experts, and confirmed that files were exfiltrated during the intrusion. Affected individuals were notified following an internal review to identify impacted data subjects and the specific information involved. The breach highlights risks to protected health information held by healthcare providers.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On September 16, 2022, Commonwealth Care Alliance of California (“CCA Health California”) detected disruptions affecting portions of its IT systems, prompting an investigation into a potential cybersecurity incident. The organization immediately secured its network, notified law enforcement agencies, and engaged a third-party data security firm to determine the nature and scope of the breach. Forensic analysis confirmed unauthorized access to CCA Health California’s network between May 4, 2022, and September 16, 2022, during which an intruder exfiltrated files containing sensitive consumer data. The investigation verified that the compromised files included personally identifiable information and protected health information, though the specific data elements varied among affected individuals. CCA Health California subsequently conducted a comprehensive review of the accessed files to identify impacted parties and the types of information exposed.
On November 15, 2022, CCA Health California formally reported the breach to the California Attorney General and initiated notifications to affected individuals via mailed data breach letters. The compromised information encompassed names, contact details, demographic data, dates of birth, Social Security numbers, passport numbers, government-issued identification numbers (including driver’s license numbers), medical diagnosis and treatment details, prescription records, Medical Record Numbers, laboratory test results, provider names, service dates, and health insurance information with plan member IDs. The breach exposed sensitive data of an undisclosed number of individuals, creating risks of identity theft and fraud. CCA Health California, a subsidiary of the Boston-based nonprofit Commonwealth Care Alliance founded in 2003, operates alongside affiliates in Massachusetts, Rhode Island, and Michigan. The organization employs over 4,100 personnel and generates approximately $2 billion in annual revenue. No additional operational disruptions or post-breach containment measures beyond the initial system security actions were disclosed in the regulatory filing.