Paubox News | HIPAA Compliance, Email Security and Healthcare Tech

Numotion data breach affected over 600,000 patients

Written by Caitlin Anthoney | June 13, 2024

Numotion, a leading medical equipment provider, experienced a cybersecurity breach in early March 2024, compromising the protected health information (PHI) of 602,265 individuals.

 

What happened

On March 2, 2024, Numotion discovered that its computer systems were breached by an unauthorized third party who deployed ransomware to encrypt files. Numotion has since secured its systems to prevent further unauthorized access and engaged a third-party cybersecurity firm to investigate the incident.

The forensic investigation revealed that the attackers accessed Numotion systems from February 29, 2024, to March 2, 2024. During this period, they exfiltrated files containing protected health information (PHI). 

The compromised data included names, dates of birth, equipment order details, supporting medical documentation, and medical insurance information. Additionally, a subset of individuals had their Social Security numbers and driver’s license numbers exposed.

Numotion notified affected individuals on April 15, 2024, and reported the breach to the Department of Health and Human Services (HHS) on May 1, 2024. 

Initially, the breach was reported to the Maine Attorney General as affecting 4,190 individuals but the number of impacted individuals later grew to 602,265, according to the HHS breach report. Despite the severity of the breach, Numotion claims that they are not aware of any actual or attempted misuse of the compromised data.

 

What was said

The Numotion’s data privacy incident notice states,Numotion has arranged for complimentary identity theft protection services for those individuals whose driver’s license numbers or Social Security numbers were involved in the incident.”

Furthermore, affected individualsshould remain vigilant to protect against potential fraud and/or identity theft by, among other things, reviewing their account statements and monitoring credit reports closely.”

Related: HIPAA Compliant Email: The Definitive Guide

 

The bottom line

Numotion's breach response demonstrates that covered entities must have incident response plans, secure systems, and promptly notify affected individuals.

Individuals affected by the Numotion data breach should monitor their financial accounts, report suspicious activity, and use the complimentary identity theft protection services offered. 

Placing fraud alerts or credit freezes with major credit bureaus can provide additional protection for those whose Social Security numbers were compromised.