Cyber Incident Victim: Elara Caring

Elara Caring, a home-based care provider, experienced a data security breach involving unauthorized access to corporate email accounts. The organization discovered the incident in mid-December 2019 and subsequently initiated notifications to over 100,400 patients beginning in November 2020. Compromised email accounts contained both employee and patient information, though the specific timeframe of the breach and method of detection were not disclosed publicly. Elara Caring’s website notification confirmed the exposure of sensitive data but did not identify the attackers or their motives. The breach was reported to the U.S. Department of Health and Human Services (HHS) on February 24, 2020, with 100,487 patients listed as affected, though this entry appeared in the public breach database months later.

The compromised email accounts held personally identifiable information (PII) and protected health information (PHI), including names, addresses, Social Security numbers, driver’s license numbers, Employer ID numbers, financial or bank account details, dates of birth, email addresses with passwords, insurance information, insurance account numbers, and passport numbers. Elara Caring explicitly stated no evidence indicated data exfiltration, access, or misuse by the intruder at the time of notification. The organization directed affected individuals to review its website notice for additional details but did not disclose technical remediation steps or third-party forensic involvement. Public records show the breach impacted individuals across multiple data categories, though the geographic scope and operational disruptions remained unspecified. HHS records confirmed the incident as one of the larger healthcare breaches reported in early 2020 based on patient count.