Henderson & Walton Women’s Center, P.C. Files Notice of Data Breach Following Hacked Employee Email Account

Richard Console, Jr.
Console and Associates, P.C.
Contact
LinkedIn
Facebook
X
Send
Embed

On August 23, 2022, Henderson & Walton Women’s Center, P.C. (“HWWC”) reported a data breach with the U.S. Department of Health and Human Services Office for Civil Rights after the company learned that an employee email account had been hacked. According to the HWWC, the breach resulted in the patients’ names, dates of birth, Social Security numbers, medical information, health insurance information, driver’s license numbers, and state ID numbers being compromised. After confirming the breach and identifying all affected parties, Henderson & Walton Women’s Center began sending out data breach letters to the 34,306 patients impacted by the incident.

What We Know About the Henderson & Walton Women’s Center Data Breach

The information about the Henderson & Walton Women’s Center, P.C. data breach comes from the company’s official filing with the U.S. Department of Health and Human Services Office for Civil Rights, as well as a notice posted on the company’s website. According to this information, HWWC recently learned that an employee’s email account had been hacked. Because all company emails are encrypted, the unauthorized party did not have access to the entire network but was able to access any information contained in the employee’s email account.

In response, Henderson & Walton Women’s Center secured its IT network and then enlisted the assistance of third-party forensic experts to assist the company in identifying the nature and scope of the incident. The investigation confirmed that the hacker or hackers were able to access patient information.

Upon discovering that sensitive patient data was accessible to an unauthorized party, Henderson & Walton Women’s Center began the process of reviewing all affected files to determine what information was compromised and which consumers were impacted by the incident. The company completed its review of the files and attachments in the employee’s email account on June 24, 2022. While the breached information varies depending on the individual, it may include your name, date of birth, Social Security number, medical information, health insurance information, driver’s license number, and state ID number.

On August 23, 2022, Henderson & Walton Women’s Center sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident. Previously, the company had posted a notice on its website on August 18, 2022. In total, HWWC believes that a total of 34,306 people were affected by the data breach.

More Information About Henderson & Walton Women’s Center, P.C.

Henderson & Walton Women’s Center, P.C. is a healthcare provider based in Birmingham, Alabama. The practice specializes in providing women with a variety of healthcare services, including breast ultrasounds, bone density screenings, gynecology, initial infertility assessments, lab work, mammography, non-stress testing, fetal monitoring, obstetrics, surgery, and ultrasound imaging. HWWC operates locations in Birmingham, Alabaster, Chelsea, Cullman, Rainbow City/Gadsden, Jasper, and Tuscaloosa. Henderson & Walton Women’s Center employs more than 97 people and generates approximately $17 million in annual revenue.

Company Liability Following a Data Breach

The data breach and consumer protection laws of the United States provide that companies are responsible for protecting the consumer information in their possession. Under these same laws, companies that experience an otherwise preventable data breach may be liable for consumers’ losses stemming from a breach.

Of course, just because an organization gets hacked and sensitive information ends up in the hands of a cybercriminal doesn’t mean that the company is automatically liable for a victim’s losses. Ultimately, the question in these cases comes down to whether the company was negligent leading up to the breach.

In this context, negligence refers to a specific legal term that requires a data breach victim to prove the following:

  • The company owed the consumer a duty of care;

  • The company violated the duty of care owed to the consumer;

  • The company’s negligence caused or contributed to the breach; and

  • The consumer suffered damages as a result of the breach.

When it comes to storing consumer data, there are several ways that a company might be negligent. However, most data breaches involving a company’s negligence are caused either by a company failing to employ an adequate data security system or failing to train employees on how to safely care for consumer data. For example, given the risks of email phishing, companies should train employees to recognize fraudulent emails that appear to be legitimate. Of course, this isn’t to say that the HWWC breach was caused by a phishing attack. Indeed, if the company’s explanation of the incident is accurate, the incident couldn’t have been the result of a phishing attack because phishing is not technically a hacking attack.

However, regardless of the threat, organizations should continually assess their data security systems to ensure they are up-to-date and protect against the most recent trends in cyberattacks. This would include other forms of hacking, such as password attacks, malware attacks and ransomware attacks.

Companies that fail to take their data security obligations seriously increase the chances of a data breach. Data breach victims who want to learn more about their rights and whether they may be able to bring a data breach class action lawsuit should reach out to a data breach attorney for assistance.

If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Henderson & Walton Women’s Center data breach, please see our recent piece on the topic here.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Console and Associates, P.C. | Attorney Advertising

Written by:

Console and Associates, P.C.
Console and Associates, P.C.
Contact
more
less

Console and Associates, P.C. on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide