Covenant Care California, LLC recently issued a follow-up notice to those impacted by a data breach occurring earlier this year. The company initially sent out data breach letters on May 6, 2022, explaining that the breach involved a single employee’s email account. However, according to a “Notice of Data Event” posted on the company’s website on June 24, 2022, Covenant Care confirmed that multiple employee email accounts were compromised. As a result of the Covenant Care of California breach, the names, medical information, health insurance information, dates of birth, Social Security numbers, driver’s license numbers, and other personal information of certain patients was compromised.
If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Covenant Care California data breach, please see our recent piece on the topic here.
The Timeline of the Covenant Care California Data Breach
According to the most recent notice provided by Covenant Care, on around April 24, 2022, management discovered that an employee at a Covenant Care facility was experiencing unusual issues with her email account. In response, Covenant Care California secured the employee’s email account and launched an investigation to learn more about the incident.
Through this investigation, the company confirmed that the employee had responded to an email phishing attack, providing the unauthorized user with access to her email login credentials. The investigation revealed that additional employees’ email addresses were also compromised. It remains unclear if these other employees also responded to the phishing email. The company reports that the period of unauthorized access was from February 24, 2022 to May 3, 2022.
Upon discovering that sensitive consumer data was accessible to an unauthorized party, Covenant Care California began reviewing the data in the email accounts to determine exactly what information was compromised. The company’s review is ongoing; however, it has identified some of the compromised data, which includes affected parties’ names, medical information, health insurance information, dates of birth, Social Security numbers, driver’s license numbers, and other personal information.
On May 6, 2022, Covenant Care California issued initial data breach letters. However, on June 24, 2022, Covenant Care sent out another round of additional data breach letters after learning additional details about the incident.
Covenant Care California, LLC is a provider of short- and long-term residential treatment based in Aliso Viejo, California. The company operates 30 skilled nursing facilities, assisted living facilities, rehabilitation centers, and residential care centers across California and Nevada. Currently, Covenant Care provides care for more than 4,000 residents and patients. Covenant Care’s rehabilitation facilities operate under the name AFFIRMA. The company provides home healthcare services under the names Focus Health, Elevate Home Health, Choice Home Health Care, and San Diego Home Health. Covenant Care California employs more than 8,000 people and generates approximately $1 billion in annual revenue.
What Is Protected Health Information and Why Is It So Important?
Covenant Care reported that the recent data security incident affected a significant amount of patient data. Among the data types leaked were patients’ names, Social Security numbers, medical information, and health insurance information. Based on the company’s report, this would appear to be protected health information. Protected health information is identifying information relating to a patient’s past, present or future health condition or how a patient pays for their healthcare.
Healthcare-related data, on its own, isn’t necessarily protected health information. However, if healthcare data also contains one or more “identifiers” that can be used to pair up the data with a specific patient, it is considered “protected health information.” Identifiers include names, Social Security numbers, addresses, or anything else that can be used to identify the person to whom the information belongs.
The harms that can stem from a data breach involving protected health information are very real. As with the case in other types of data breaches, the data obtained through a healthcare data breach provides the hacker with the information they need to commit identity theft or other frauds. However, identity theft following a healthcare data breach is much worse.
For example, cybercriminals will often orchestrate these attacks in hopes of accessing valuable information they can then sell to a third party. The third party often purchases this information intending to use it to get medical care in the victim’s name. This carries financial consequences for the victim because either their insurance gets billed or, if they do not have insurance, they receive the bill in their name.
The other, more serious risk is that a person obtains care in your name and provides the treating doctor with information about themselves that ends up in your medical record. For example, a fraudulent patient may provide a doctor with a list of their allergies or medications. This could mean the next time you go to the doctor; they have incorrect information in your file.
