American Osteopathic Association Notifies 27,500 People About the Data Theft in June 2020

Close to 27,500 people received notification about the stealing of some of their personal information when the American Osteopathic Association (AOA) experienced a cyberattack. AOA is specialist organization located in Chicago with members numbering about 151,000 osteopathic physicians and medical students all throughout the U.S.

On June 25, 2020, the AOA uncovered suspicious activity within selected areas of its systems and took its system offline. Forensic investigators started looking at the nature and magnitude of the breach. The investigation outcomes revealed that the attackers acquired systems access and possibly exfiltrated personally identifiable information (PII) from those systems.

A comprehensive study of the files was performed to know which individuals were affected by the attack. That review affirmed that the exfiltrated information included names, birth dates, Social Security numbers addresses, usernames/email addresses and passwords and financial account information.

The AOA reported its investigation had not received any evidence of actual or attempted improper use of the compromised data, nevertheless as a safety precaution against identity theft and fraud, the provider gave free credit monitoring and identity theft protection services to affected individuals for one year.

The persons affected by the attack were informed only after 15 months since the breach was discovered. The AOA revealed that much like many companies, the COVID-19 pandemic brought about considerable problems to its standard business procedures. Since the pandemic, AOA took longer to find out the names and addresses of the affected persons. This was a result of the pandemic’s impact on the employees’ work condition and their inability to identify all potentially affected persons. AOA only completed identifying all the impacted persons and their contact information on June 1, 2021.

According to the breach report submitted to the Maine Attorney General, AOA sent notices to the people affected by the breach on October 13, 2021.