Cyber Incident Victim: Maxim Healthcare

On or about December 4, 2020, Maxim Healthcare Group discovered unusual activity involving several employee email accounts. An investigation determined unauthorized access to these accounts occurred between October 1, 2020, and December 4, 2020. The organization could not identify which specific email messages or attachments were accessed during this period. As a result, investigators comprehensively reviewed all messages and attachments within the affected accounts to assess potential data exposure. The analysis revealed that compromised information could include patient names, addresses, dates of birth, contact details, medical histories, treatment information, medical record numbers, diagnosis codes, patient account numbers, Medicare/Medicaid identifiers, and account credentials. Social Security numbers were accessible for a limited subset of individuals. Maxim Healthcare publicly disclosed the incident through a November 4, 2020 press release and website notification, characterizing the disclosure as precautionary.

Maxim Healthcare implemented multiple security enhancements following the breach, including mandatory Multi-Factor Authentication for all email accounts and migration to a new Security Operations Center featuring advanced threat detection and response capabilities. The incident impacted 65,267 individuals according to a November 9, 2020 update submitted to the U.S. Department of Health and Human Services. Patient notifications commenced in November 2021, nearly eleven months after initial detection. The organization completed its review of email contents by August 24, 2021, which preceded the notification process. No information regarding containment procedures during the active intrusion period or forensic evidence of data exfiltration was disclosed in available materials.