Cyber Incident Victim: NASCO

On or around May 30, 2023, NASCO, a healthcare organization based at 1200 Abernathy Rd NE #1000 in Atlanta, Georgia, experienced a breach of its external systems. The incident was characterized as an external system breach involving hacking. The unauthorized party acquired information containing names or other personal identifiers in combination with Social Security Numbers. The breach was not discovered until August 21, 2023, nearly three months after the initial intrusion occurred. The total number of persons affected by this security incident was 3,616, which included a single resident of the state of Maine.

The entity engaged outside legal counsel to manage its response to the incident. The law firm of Hunton Andrews Kurth LLP, with attorney Lisa Sotto acting as the primary contact, submitted the required breach notification to the Maine Attorney General's office. The firm provided a telephone number and an email address for official correspondence related to the breach. The compromised data consisted of highly sensitive personal information, specifically the combination of names and Social Security Numbers, which significantly elevated the risk of identity theft for the impacted individuals.

NASCO opted to provide written notification to all affected consumers. The mailing of these individual notification letters occurred on October 20, 2023. This date marked the formal communication from the entity to the individuals whose personal information was acquired in the breach. The notification process included a specific letter intended for the sole affected Maine resident, a copy of which was filed with the state's consumer protection division under the filename 'NASCO - Individual Notification Letter.pdf'. The entity confirmed that it had no previous breach notifications within the twelve months preceding this incident.

As part of its response, NASCO offered identity theft protection services to the affected individuals. The company enlisted Experian to provide these services, which included comprehensive identity monitoring. The offer extended coverage for a period of twenty-four months from the date of notification. This service was designed to help protect the impacted consumers by monitoring their credit and personal information for any signs of fraudulent activity following the breach. Because the total number of affected Maine residents was one, which is below the 1,000-person threshold, the entity was not required to notify consumer reporting agencies based solely on the Maine resident count; however, the submission to the Maine Attorney General indicated that the consumer reporting agencies had been notified, suggesting the overall scale of the breach across other jurisdictions met or exceeded relevant reporting requirements. The technical specifics of the attack vector, the exact nature of the external systems breached, and the specific containment or eradication actions taken by NASCO were not detailed in the public notification. The response was managed through legal channels, focusing on regulatory compliance and the provision of protective services to those whose data was acquired.