Supportive Concepts for Families, Inc. Data Breach (2014)

SCFFI maintains an internal database that contains health information about our consumers. This database is used by our employees as they provide care to our consumers. The health information in this database is designed and intended to be accessible through our internal web portal only to authorized users who have been issued required log-in IDs and passwords. On December 16, 2013, we learned that the health information in our internal database was available on the internet by a Google search using the terms Supportive Concepts for Families and consumer first and last name, without using a log-in and password. The information available included names, addresses, social security numbers, dates of birth, dates of service, and consumer service notes entered by our employees. We immediately investigated the incident and determined that when SCFFI employees performed a computer hardware upgrade in February 2013, some of the portals security settings were not properly set. Without the proper security settings, it was possible to access the web portal information from remote locations without using log-in and password authorization. Within one hour after discovering the breach on December 16, we changed the security settings so that only authorized users with log-in IDs and passwords could access and view our database. In our investigation, we reviewed the access history to the database through our computer logs going back to the upgrade in February 2013. We have found only a few instances of access that we cannot identify. Most access was made by SCFFI personnel just before the breach was reported to us, or by SCFFI personnel to confirm the nature of the problem before correcting the servers security settings. We have no evidence about which records may have been accessed by unknown individuals or whether health information that may have been accessed has been misused. Because protecting your personal information is important to us, we want to make you aware of two important things you can do to protect the consumer. First, keep a close watch on your bank statements, credit card statements, personal mail and other bills and financial statements for any suspicious or unauthorized activity. Second, you may want to consider placing a fraud alert on your credit files. A fraud alert lets creditors know to contact you before opening new accounts. You may call any one of the three credit reporting agencies at the number below. This will let you automatically place fraud alerts with all of the agencies. You will then receive letters from all of them, with instructions on how to get a free copy of your credit report from each.