On October 6, 2022, Eventus WholeHealth, PLLC (“Eventus”) filed an official notice of a data breach with the Attorney General of Montana after the company learned that an unauthorized party had gained access to an employee’s email account. According to Eventus, the breach resulted in sensitive consumer information being compromised. While the company has not yet released the specific type of information that was leaked, based on state data breach reporting requirements, it likely involved one or more of the following: Social Security numbers, financial account information or protected health information. Recently, Eventus sent out data breach letters to all affected parties, informing them of the incident and what they can do to protect themselves from identity theft and other frauds.

What We Know About the Eventus WholeHealth Data Breach

The available information regarding the Eventus WholeHealth breach comes from the company’s filing with the Attorney General of Montana. According to this source, on June 1, 2022, Eventus detected suspicious activity pertaining to an employee email account. In response, the company terminated all unauthorized access to the account and retained the services of an outside cybersecurity firm to assist with the company’s investigation.

As a result of the Eventus investigation, on August 17, 2022, the company confirmed that an unauthorized party had gained access to the employee’s email account, as well as the personal and sensitive information of certain individuals contained in emails and attachments.

Upon discovering that sensitive consumer data was made available to an unauthorized party, Eventus WholeHealth began to review the affected files to determine what information was compromised and which consumers were impacted. Eventus has not yet released the specific data types that were subject to unauthorized access. However, under the Montana data breach reporting requirements, companies only need to report a breach if it involves one or more of the following:

• Social Security numbers,

• Driver’s license or state identification numbers,

• Protected health information, or

• Financial account information.

On October 6, 2022, Eventus WholeHealth sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.

Eventus WholeHealth, PLLC is a healthcare provider based in Concord, North Carolina that was formed as a result of a merger between OnsiteCare, Extended Care Specialist, and DoctorsMakingHouseCalls. Eventus WholeHealth provides primary care and mental health services to medically vulnerable adults residing in post-acute care facilities, assisted living, and independent living communities. Eventus WholeHealth employs more than 311 people and generates approximately $13 million in annual revenue.

If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Eventus WholeHealth data breach, please see our recent piece on the topic here.