Hacking Hits Home
Keenan and Associates Suffers a Breach
So there I was, minding my own business, looking for a Dermatologist on the website of my HMO (THIPA), and my spidey cyber senses go up to 11. Last thing one wants to see on the website of any entity associated with one's healthcare is the phrase "Notice of Data Breach." Ruh Roh! was my first response. Followed up with Data Breach! What Data Breach? We don't need no stinkin' Data Breach! So into this swap I dove. I clicked the link. Here is what I have learned.
Letter of Notice of Data Security Incident
Keenan & Associates (“Keenan”) is an insurance brokerage company that provides insurance-related risk management, and claims services throughout California and to clients across the country. Keenan services companies and organizations across a variety of industries, and, in the course of its work on behalf of clients is at times provided access to personal information as a part of the client engagement. We receive and utilize this data for the purposes of performing services for its clients.
Keenan experienced a cybersecurity incident that involved some of your personal information. Keenan was in possession of that information due to its work (i.e. benefit enrollment and/or claims processing) for Torrance memorial Medical Center. This notice explains the incident, steps we have taken in response, and additional information on steps y[sic] may take to help protect your information.
The notice was dated January 02, 2024. The breach, however, occurred "between approximately August 21, 2023, and August 27, 2023," according to the notice. Keenan & Associates discovered the breach on August 27, 2023, yet did not disclose the fact of the breach to its clients who may be impacted by the breach until December 12, 2023. This is according to a notice of the attack posted on the website of the College of the Canyons (CoC). CoC is another California entity victimized by the breach. This notice by CoC were the only other facts concerning the breach that I could find online that contained actual facts concerning the breach itself The CoC notice was the only place where it was said "that the company was “the target of a ransomware incident.”" The CoC notice mentions a letter sent to the Office of the California Attorney General. A copy of that letter can be read here [pdf will open].
Concerning this incident, there's a whole lot of irresponsibility going on. First of all, the delay in reporting can only be described as unconscionable. Although, as of yet there is no one standard written into law about the time an entity has to report a cyber incident, a 5 month delay in reporting is certainly not in step with the 4 day rule to report proposed by the Biden Administration recently.
In the announcement that appeared on the THIPA website, Keenan and Associates stated that "To help prevent a similar type of incident from occurring in the future, we implemented additional security protocols designed to enhance the security of our network, internal systems and applications." Well, bless their little pea pickin' hearts. Now that the firm has been hacked, again, its management decided only after the fact to implement stronger security measures.
The questions I think need to be answered concerning the Keenan attack
are:
1. How many individual consumers had their personal
information
exfiltrated?
2. What vulnerability was exploited by the
attackers that caused the incident? Was the vulnerability a
Zero-day vulnerability that may have had no mitigation at the time of
the attack? Or, did Keenan and Associates not patch a known
vulnerability? And if that was the case, who made the
decision not to patch?
3. If the nature of the attack was
ransomware, what was the amount of the ransom demand, and did Keenan and
Associates pay the ransom? If so, how much was paid to the
attackers?
4. Did Keenan and Associates carry cyber insurance?
If so, how much, if any, was paid to the attackers from insurance, and
how much, if any, was paid by Keenan and Associates?
The questions above are common issues concerning any cyber attack today that Keenan and Associates should make known to the public. But so far nothing about these questions that I ask here have been forthcoming from any source. Of course, these questions eventually might be answered in a court of law.
On what planet do these people live? The US Department of Health and Human Services (HHS) publishes on its website an extensive list, "Notice to the Secretary of HHS Breach of Unsecured Protected Health Information." The cyber events noted on that HHS list are "Cases Currently Under Investigation." Listed are "all breaches reported within the last 24 months that are currently under investigation by the Office for Civil Rights." The sheer number of data breaches that involved health information was surprising even to me. Countless is the only word I can use. I literally could not count the number. Below is a screen shot of the HHS listing about the Keenan breach.
The lack of timely and detailed reporting on the part of Keenan and Associates may have much to do with a growing trend. In the wake of a cyber incident involving firms of considerable size, and where there are a tremendous number of victims, class actions lawsuits against the hacked firm are quite often pursued.
Concerning this incident, according to Bing:
As of now, no lawsuits have been officially filed against Keenan & Associates for the 2023 data breach. However, attorneys are investigating whether a class action lawsuit can be filed. They are looking to hear from individuals who received a notice stating they were impacted by the breach. If your information was exposed in the breach, you may be able to start a class action lawsuit to recover compensation for loss of privacy, time spent dealing with the breach, out-of-pocket costs, and more.
Indeed, several law firms that specialize in class action tort lawsuits are soliciting for individual victims of the Keenan and Associates cyber breach. Perform a Google search on "Keenan and Associates data breach," and here is a sample of what you will find. One website, ClassAction.org, has announced that "Attorneys working with ClassAction.org are looking into whether a class action lawsuit can be filed in light of the Keenan & Associates data breach." It is only one of several similar entries that will result from the Google search.
Read 'em and weep, as the old poker adage goes.
Gerald Reiff
| Back to Top | ← previous post | next post → |
| If you find this article of value, please help keep the blog going by making a contribution at GoFundMe or Paypal | ||