Third-Party Mailing Error Exposes 37K SSNs at Sound Health and Wellness Trust

August 11, 2022 - A third-party mailing error originating at Zenith American Solutions resulted in the exposure of 37,146 Social Security numbers provided to Sound Health and Wellness Trust.

Zenith American Solutions is a third-party administrator used by Sound Health and Wellness Trust, a trust managed by unions and employers that provides benefits to more than 51,000 participants.

According to its breach notice, Zenith sent a letter to the impacted individuals on June 24, 2022, reminding them to complete their health profile or personal health assessment in order to enroll in the 2023 Health Reimbursement Account.

On June 28, Zenith discovered that the mailing contained the individuals’ full Social Security number as part of the mailing label.

“The file used to prepare the mailing labels mistakenly included your SSN,” the notice stated. “Our policy is to minimize the information contained in such files to include only the information necessary for the purpose. In this instance, your SSN was not necessary and its inclusion failed to meet the standards of our policy.”

The mailing label contained the individuals’ names, addresses, SSNs, unique ID numbers, and the fact that they were enrolled in coverage through Sound Health and Wellness Trust.

“The non-compliance with our set policy standards has been addressed with our staff. Effectively immediately, we have also implemented additional quality control measures to prevent this from occurring in the future,” the notice explained.

Zenith said it had no reason to believe that any information had been misused, but offered impacted individuals free credit monitoring services. 

Living Innovations Suffers Phishing Attack

Living Innovations, which provides services to people with intellectual and developmental disabilities in Maine, New Hampshire, Rhode Island, and Connecticut, disclosed a phishing incident that impacted 4,000 individuals.

On June 7, Living Innovations discovered unauthorized access within its employee email environment. Further investigation revealed that an unauthorized party gained access to a small number of email accounts between June 6 and June 14.

“The evidence suggests that this was an attempt to induce a fraudulent invoice payment—and not to access client information,” the notice to impacted individuals stated.

“However, because we could not rule out that client information may have been viewed, we reviewed all emails and attachments in the mailboxes. Our review identified client health insurance or Medicaid information, Social Security numbers, and limited information related to services received at Living Innovations.”

Living Innovations said it would mail letters to all impacted clients and implement strengthened email security protocols and employee phishing training.

Mental Health Organization Suffers Email Security Incident

Centerstone, a nonprofit health system that provides mental health and addiction recovery services, informed an undisclosed number of individuals of a healthcare data breach that impacted its email environment. Centerstone provides services in Florida, Tennessee, Indiana, and Illinois.

According to its notice, Centerstone detected unusual activity on February 14, 2022. Centerstone later discovered that an unknown actor had gained access to and potentially obtained information from three employee email accounts from November 4, 2021 to February 14.

Centerstone said it immediately took steps to secure its environment. Centerstone began notifying patients of the breach on August 2. The incident involved names, Social Security numbers, client IDs, addresses, birth dates, diagnosis and treatment information, and health insurance information.

“The privacy and protection of personal and protected health information is a top priority for Centerstone, which deeply regrets any inconvenience or concern this incident may cause,” the notice stated.

“Centerstone is working to implement additional safeguards to help ensure the security of its email environment and to reduce the risk of a similar incident from occurring in the future.”