Data Stolen from American Osteopath Group

  • The personal data of thousands of individuals have been stolen from a non-profit professional membership organization located in Illinois.

    Cyber-thieves struck the American Osteopathic Association (AOA) in the summer of 2020, making off with information that included names, Social Security numbers, and financial account details.

    The AOA, which is headquartered in Chicago, represents around 151,000 osteopathic physicians and medical students across the United States. The association was tipped off to the attack when suspicious activity was recorded on some of its systems on June 25 last year.

    The network was shut down, and computer forensic specialists were brought in to investigate the nature and scope of the security incident. It was determined that attackers had managed to breach systems where personally identifiable information was contained and had exfiltrated data from those systems.

    AOA undertook a review to establish what data had been accessed and which individuals had been impacted by the cyber-attack. As a result, it was concluded that the exfiltrated data included names, addresses, dates of birth, Social Security numbers, financial account information, and email addresses/usernames and passwords.

    In a breach report submitted on October 13 to the state of Maine’s attorney general’s office, the AOA stated that 27,485 individuals, including 209 Maine residents, had been impacted by the incident.

    The AOA has just begun mailing out breach notification letters to affected individuals, offering them a year of free credit monitoring.

    A sample of the breach notice states that the total population of impacted individuals was determined by June 1, 2021. The delay in notifying those individuals is attributed in the letter to the coronavirus pandemic.

    “Like many businesses, the COVID-19 pandemic presented considerable challenges to AOA’s normal business operations,” states the letter. “As a result, it has taken an extended time for AOA to identify the names and addresses of impacted individuals due to the pandemic’s impact on our staff’s working conditions, and their inability to be on location to identify all potentially impacted parties.”

    The AOA said they were unaware of any actual or attempted malicious use of the stolen data in the cyber-attack.