NorthStar EMS hacked, 82,000+ individuals affected

(image source: NorthStar EMS, n.d.)

One-sentence summary:

NorthStar Emergency Medical Services (EMS) was hacked in September 2022, breaching the PII or PHI of over 82,450 individuals per an almost 6-months long investigation/notification.

Who was involved?

NorthStar EMS, a threat actor, and 82,450 individuals or patients.

What was the timeline?

September 16, 2022: NorthStar EMS “discovered unusual activity in its digital environment.”

March 8, 2023: NorthStar EMS finalizes their breach investigation and “discovers their breach” [quotations added]

March 14, 2023: NorthStar EMS begins individual notification

What occurred?

NorthStar EMS suffered a data breach in September 2022, affecting nearly 82,450 persons and patients (Rowe, 2023). Breached data included: “individuals’ names, Social Security numbers, dates of birth, patient ID number, treatment information, Medicare/Medicaid number, and/or health insurance information” (NorthStar EMS, 2023b, para. 3).

Estimated costs:

Associated incident response costs, “independent cybersecurity experts,” 12 months of IDX identity management services, breach notification costs, M-F call center

Involved laws:

Federal: HIPAA and HITECH.

State laws: Maine: 10 M.R.S.A. § 1346

Root cause:

TBA or N/A (see disclaimer)

Lessons learned:

TBA or N/A (see disclaimer)

Sources:

NorthStar Emergency Medical Services. (2023). Northstar – Regulatory Notification Packet (ME).pdf. In Office of the Maine Attorney General: Data Breach Notifications (No. 9314140v1). Office of the Maine Attorney General. Retrieved March 16, 2023, from https://apps.web.maine.gov/online/aeviewer/ME/40/ad13358b-45d7-4d7a-96a3-e6e56e2c10b2/b6e49831-4833-4d8f-9484-43617557c119/document.html

NorthStar EMS. (n.d.). untitled. wixstatic.com/. https://static.wixstatic.com/media/7f10b9_96e24d3bc77e4e6bb6a0935a8752c01f~mv2_d_4140_1366_s_2.jpg/v1/fill/w_640,h_274,al_c,q_80,usm_0.66_1.00_0.01,enc_auto/7f10b9_96e24d3bc77e4e6bb6a0935a8752c01f~mv2_d_4140_1366_s_2.jpg

NorthStar EMS. (2023b, March 14). Notice of Data Security Incident | Northstar EMS. Northstar EMS. Retrieved March 16, 2023, from https://www.northstar-ems.us/notice-of-data-security-incident

PitchBook. (n.d.). Northstar EMS Company Profile: Acquisition & Investors | PitchBook. Northstar EMS. Retrieved March 17, 2023, from https://pitchbook.com/profiles/company/114508-18#overview

Rowe, T. (2023, March 14). Office of the Maine AG: Consumer Protection: Privacy, Identity Theft and Data Security Breaches. Office of Maine Attorney General. Retrieved March 16, 2023, from https://apps.web.maine.gov/online/aeviewer/ME/40/ad13358b-45d7-4d7a-96a3-e6e56e2c10b2.shtml

About Post Author

Kyler Kent CISSP

I am a Threat Hunting and Intelligence Specialist and am a progressive, aspiring cyber leader. I am currently based in Dallas, with a holistic and multidisciplinary background. I am a lifelong learner– constantly seeking education and training opportunities. I maintain several cybersecurity and IT certifications. I also maintain two Texas DPS private security licenses. Finally, I have a master’s degree from Georgetown University’s SCS Cybersecurity Risk Management program. https://linktr.ee/kentprotect.com Corrections: [email protected]

http://kylerkent.com