Recently, ATC Healthcare Services, LLC confirmed that the company experienced a data breach after an unauthorized party gained access to sensitive patient information through multiple compromised employee email accounts. According to the ATC, the breach resulted in the names, Social Security numbers, driver’s licenses, financial account information, usernames and passwords, passport numbers, biometric data, medical information, health insurance information, electronic/digital signatures, and employer-assigned identification numbers being compromised. On July 1, 2022, ATC filed official notice of the breach and sent out data breach letters to all affected parties.

If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the ATC Healthcare Services data breach, please see our recent piece on the topic here.

What We Know About the ATC Healthcare Services Data Breach

According to a notice posted on the company’s website, on December 22, 2021, ATC detected unusual activity involving certain employee email accounts. In response, ATC secured the compromised email accounts and launched an investigation to determine the nature and scope of the incident.

The company’s investigation confirmed that multiple employee email accounts were accessible to an unauthorized party at varying times between February 9, 2021 and December 22, 2021. Additionally, ATC could not rule out that the unauthorized party did not access or steal the patient data contained within the email accounts. Thus, the company began a manual review of all the files and attachments contained within the affected email accounts.

On June 2, 2022, ATC completed its review of the compromised information. While the breached information varies depending on the individual, it may include your name, Social Security number, driver’s license number, financial account information, username and password, passport number, biometric data, medical information, health insurance information, electronic/digital signature, and employer-assigned identification number.

On July 1, 2022, ATC Healthcare Services sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.

More Information About ATC Healthcare Services, LLC

Founded in 1982, ATC Healthcare Services, LLC is a healthcare staffing company based in Lake Success, New York. The company consists of 65 company-owned franchise locations, through which it provides registered nurses, CNAs, LPNs, LVNs, pharmacists and other healthcare workers to practices in need of temporary or permanent assistance. ATC Healthcare Services employs more than 1,000 people and generates approximately $100 million in annual revenue.

How Do Hackers Access Employee Email Accounts?

While ATC Healthcare Services explained that the recent data security incident involved unauthorized access to multiple employee email accounts, the company did not elaborate on how the unauthorized party gained access to the employees’ email accounts. Email-based cyberattacks are increasingly common, in part because they have been so successful over recent years. There are several ways that hackers or other cybercriminals can access employee email accounts.

Phishing

The most common way for hackers to gain access to an employee’s email account is through an email phishing attack. According to the Identity Theft Resource Center, in 2021, a third of all cyberattacks involved phishing. Phishing describes a type of cyberattack in which a malicious actor sends a seemingly legitimate email to an employee of the targeted company. In the email, the hacker asks the recipient to either provide their login credentials, click on a malicious link, or download a malicious file. To do this, the hacker relies on social engineering principles to “trick” the employee into providing the requested information. For example, a common phishing tactic is for a hacker to send an email that appears to come from management, asking an employee to verify their login credentials.

Brute Force Attack

Brute force attacks are less common than email phishing, but still pose a serious threat. When a hacker obtains a username-password combination, they input this information into a database, which may be shared with other cybercriminals. A brute force attack involves a hacker plugging known username-password combinations into a program that automatically tries the combinations on various websites. Brute force attacks are why it is critical to change your password to all your online accounts after a password is compromised.

Old-Fashioned Guesswork

Have you ever tried to set a password and had the site reject it because your proposed password contains part of your name, address or Social Security Number? This is to help prevent a cybercriminal from guessing your password. People tend to pick the same types of passwords. For example, it is common for people to choose a password that includes some of their own information. Similarly, there are certain passwords that are frequently chosen because they are easy to remember or type in, such as “password123” or “qwerty123.” Hackers create databases containing the most commonly used passwords, which they can use to access an employee's email account.

Of course, organizations are aware of the risks of unauthorized access to employee email accounts and should employ data security systems that prevent these types of attacks. For example, many companies lock a user out if they guess the incorrect password a certain number of times. From there, the employee’s account can only be re-activated with an administrator’s approval. Companies that fail to maintain robust data security systems put the consumer data in their possession at unnecessary risk of exposure.