The Facial Pain Center based in Minnesota has reported that an unauthorized person accessed some email accounts of employees in January 2024, compromising the protected health information (PHI) of 1,894 people. The breach was detected on January 23, 2024, when suspicious activity was identified in some staff accounts. The Facial Pain Center took immediate measures to block further unauthorized access and started an investigation to evaluate the extent and consequence of the incident.
To assist with the investigation, the Center engaged a third-party cybersecurity company. The investigation confirmed that the attacker had access to emails and correlated file shares, but it remains unclear how much patient data was accessed or stolen. Because of the volume of affected information and the number of email accounts, the review process took several months to complete, finally concluding on June 10, 2024.
The compromised information differed from person to person and might have involved names together with other sensitive information, such as birth dates, demographic details, medical records, and/or medical insurance data. The Facial Pain Center had put in place safeguards, such as multi-factor authentication, to protect data in its email accounts before this incident. In response to the breach, the Center is enhancing these security measures to prevent the same occurrences later. Notification letters were sent to the impacted people, advising them to stay vigilant for any case of improper use of their data. However, the company did not provide any credit monitoring or identity theft protection services as part of the breach response.
Based on the report, the Facial Pain Center stated its commitment to data security, noting that the incident is under control and remediated. The investigation confirmed that an unauthorized actor possibly viewed or stole some information stored in some employee email accounts and/or associated shared files. The center is committed to protecting data and aiding patients and partners in the event of a data breach. It has begun informing any people whose personal data might have been affected.