PHI of Employees Exposed Due to a Cyberattack on Waste Management Company

USA Waste-Management Resources, LLC has begun informing a number of employees, ex-employees, and dependents covered by its self-managed health plan regarding the potential compromise of some of their personal data and protected health information (PHI) because of a January 2021 cyberattack.

Waste-Management Resources stated it detected suspicious activity in its IT networks on January 21, 2021 and the company started an investigation with the help of third-party computer forensics experts. The investigation confirmed that an unauthorized person had obtained access to its systems from January 21 to January 23, 2021 and accessed and/or stole selected files during the attack.

A comprehensive review was done to find out if any files were kept on the breached sections of its network including any sensitive data. That undertaking was finished on June 21, 2021.

As per the review, the following types of data were exposed and might have been likely compromised: Names, taxpayer ID numbers, Social Security numbers, government ID numbers, driver’s license numbers, state ID numbers, birth dates, debit/credit card numbers, passport numbers, financial/bank account numbers, medical background/treatment data, medical insurance data, and email address/username and passwords for financial electronic accounts. According to Waste-Management Resources, it cannot determine which files were really exfiltrated during the attack.

Waste-Management Resources began sending notification letters to affected persons on August 11, 2021. Although the investigation is still in progress, the company is already taking steps to put in place supplemental safeguards and evaluate policies and procedures associated with data privacy and security.

Impacted persons were instructed to keep track of their financial accounts for any indication of misuse of personal data, and to get a free credit report from one of the 3 big credit monitoring agencies, and to consider filing a free fraud alert or perhaps a credit freeze on their records. It doesn’t seem that Waste-Management Resources is offering any credit monitoring and identity theft protection services, in spite of the considerable and remarkably sensitive nature of information potentially exposed in the attack.

About Christine Garcia 1191 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA