Numotion, a leading medical equipment provider, experienced a cybersecurity breach in early March 2024, compromising the protected health information (PHI) of 602,265 individuals.
What happened
On March 2, 2024, Numotion discovered that its computer systems were breached by an unauthorized third party who deployed ransomware to encrypt files. Numotion has since secured its systems to prevent further unauthorized access and engaged a third-party cybersecurity firm to investigate the incident.
The forensic investigation revealed that the attackers accessed Numotion systems from February 29, 2024, to March 2, 2024. During this period, they exfiltrated files containing protected health information (PHI).
The compromised data included names, dates of birth, equipment order details, supporting medical documentation, and medical insurance information. Additionally, a subset of individuals had their Social Security numbers and driver’s license numbers exposed.
Numotion notified affected individuals on April 15, 2024, and reported the breach to the Department of Health and Human Services (HHS) on May 1, 2024.
Initially, the breach was reported to the Maine Attorney General as affecting 4,190 individuals but the number of impacted individuals later grew to 602,265, according to the HHS breach report. Despite the severity of the breach, Numotion claims that they are not aware of any actual or attempted misuse of the compromised data.
What was said
The Numotion’s data privacy incident notice states, “Numotion has arranged for complimentary identity theft protection services for those individuals whose driver’s license numbers or Social Security numbers were involved in the incident.”
Furthermore, affected individuals “should remain vigilant to protect against potential fraud and/or identity theft by, among other things, reviewing their account statements and monitoring credit reports closely.”
Related: HIPAA Compliant Email: The Definitive Guide
The bottom line
Numotion's breach response demonstrates that covered entities must have incident response plans, secure systems, and promptly notify affected individuals.
Individuals affected by the Numotion data breach should monitor their financial accounts, report suspicious activity, and use the complimentary identity theft protection services offered.
Placing fraud alerts or credit freezes with major credit bureaus can provide additional protection for those whose Social Security numbers were compromised.
