BST Accounting Firm in Albany Had A Data Breach

Well, it happened. I received a letter, and shockingly another Albany-based business was most likely breached and customer’s data could have been accessed. If the recent attack on the Town of Colonie and the big attack on the City of Albany wasn’t enough. BST Accounting Firm in Albany had a data breach.

The Maze ransomware ring has taken extortion to new heights by publicly posting breached data on the Internet and the hackers threaten to fully release stolen data if the ring’s victims refuse to pay for their files to be unencrypted. In December 2019, the MAZE ransomware group published online a portion of the 120 GB of data they claimed to have stolen from Southwire. BST & Co., a certified public accountancy firm in Albany is listed with about 25 other victims was listed on Maze’s site, with data sets posted that “prove” customer information was stolen from a breach. What is most concerning is a delay in reporting

Previously in December, the website was hosted in Ireland. Southwire subsequently filed a lawsuit on December 31 against the MAZE operators and won the case. The website was taken down.  In January the website was back up online, this time hosted in Alibaba. Maze is using ransomware and stating companies that “do not wish to cooperate with us, and trying to hide our successful attack on their resources. Wait for their databases”.

Ransomware Warning

The FBI is started issuing U.S. companies warnings last month, in an advisory to the private sector the FBI called for vigilance to combat the so-called Maze ransomware. The bureau said Maze began hitting U.S. companies and organizations in November of 2019.

Delay of Reporting

Just today Feb 18th, 2020 letters were received from BST began arriving in the mailboxes of Community Care Physicians patients, whose information may have been exposed in the security breach. The possibly leaked information includes protected health information, date of birth, and insurance coverage. While Arstechnica reported this on January 29th, 2020.  BST actually states in the letter they were breached on December 7th. What is with the delay BST?

Data Privacy Incident Letter

The letter reads:

“Letter to Patients of Community Care Physicians, P.C. – Notice of Data Privacy Incident

BST & CO., CPA LLP (“BST”) is an accounting firm in Albany, New York area that provides accounting and tax services to your current or former healthcare provider affiliated with Community Care Physicians, P.C. (“CCP”). We are writing to tell you about a data security incident that occurred on BST’s computer system. Unfortunately, the incident may have exposed some of your protected health information that we maintain for the physicians and providers of CCP. We understand the seriousness of this incident, and we believe that you should know how it happened and the steps you can take to protect your information. We would like to sincerely apologize, and we are taking steps to address this unfortunate occurrence.

What Happened

On December 7, 2019, BST learned that part of our network was infected with a virus that prohibited access to our files. We quickly restored our systems and engaged an industry-leading forensic investigation firm to determine the nature and scope of this incident. After a thorough analysis of all available forensic evidence, the investigation determined the virus was active on our network from December 4, 2019 to December 7, 2019. We determined that the virus was introduced by an unknown individual or individuals outside our organization who gained access to part of our network where we store some client files, including files from CCP.

Because there was a risk that CCP’s data may have been accessed, acquired, or otherwise disclosed without authorization from BST’s network, we reviewed all CCP data to determine whether it included personal information. The review, after addition of contact information, was completed on February 5, 2020, and it revealed some of the potentially accessed CCP files contained protected health information for certain individuals, including you. You maybe be wondering why we had your information in the first place. As part of our work for CCP, we review financial documents that may contain patient information such as names, account numbers, dates of birth, and medical billing codes.

The forensic investigation could not conclude that any of your protects health informant was accessed of acquired by an authorized individual. However, in an abundance of caution, we are providing you with notice of the possible unauthorized disclosure on a (1) year of identity monitoring at no cost to you to allow you to take steps to protect your personal information, if you feel it is appropriate to do so.

What Information Was Involved

BST in unable to confirm whether your information was actually obtained by an unauthorized individual. Our investigation determined that as a result of this incident, some of your protected health information may have been accessed or acquired without authorization, including your first and last name, medical record number, date of birth, CPT code, and insurance description. This information appeared incidentally on CCP balance statements that were provided to us in order for BST to provide accounting services to CCP. BST does not use your information in connection with any other purpose. Your medical records and Social Security number were not impacted by this incident. We do not possess such information because CCP does not share that information with us.”

The letter goes on to state what they are doing to help, what you can do, and more information.
BST accounting firm data breach letter