Northwood suffers data breach compromising personal information of its customers

• The compromised email account contained information related to certain customers who received durable medical equipment either supplied or managed by Northwood.
• The information includes names, addresses, dates of birth, dates of service, provider name, medical record numbers, patient identification numbers, medical device description, diagnosis, diagnosis codes, treatment information, member health plan identification, Social Security numbers, driver’s license number, and health insurance provider names.

Northwood suffered a data breach incident after unauthorized third-parties gained access to an employee’s email account.

What happened?

On May 6, 2019, Northwood became aware of suspicious activity relating to an employee’s email account. Upon which, the organization launched an investigation and determined that an unauthorized third-party gained access to an employee’s email account between May 3, 2019, and May 6, 2019.

What information was involved?

On June 19, 2019, Northwood determined that the compromised email account contained information related to certain customers who received durable medical equipment either supplied or managed by Northwood.

The information included names, addresses, dates of birth, dates of service, provider name, medical record numbers, patient identification numbers, medical device description, diagnosis, diagnosis codes, treatment information, member health plan identification, Social Security numbers, driver’s license number, and health insurance provider names.

The email account also contained information related to certain healthcare providers in connection with their exclusion status with the Centers for Medicare & Medicaid Services, including their names and Social Security numbers.

What was the response?

• Upon discovery, Northwood took down the impacted email account and changed the account password.
• The organization has implemented password resets for all employee email accounts and notified employees to remain vigilant against suspicious emails.
• It has also implemented additional security measures to its email system and is providing training and education to its employees in order to prevent such incidents from happening in the future.
• Northwood has reported the incident to law enforcement and is notifying the potentially impacted individuals.
• Further, it is providing free credit monitoring services for all impacted individuals.

“Although we cannot confirm that any individual’s personal information was actually accessed, or viewed without permission, we are providing this notice out of an abundance of caution. While our investigation is ongoing, we do not currently have any evidence of actual or attempted misuse of any individual’s information as a result of this incident,” Northwood said in a security notice.