Data Breach at SuperCare Health Affected 300,000 Patients

A California-based healthcare service provider called SuperCare Health recently reported a major data breach that affected over 300,000 patients.

SuperCare published a notice informing of the data breach on its website. The kicker in this incident is that the breach took place in mid-2021 and was announced only recently.

Breach happened more than six months ago

The company became aware of unauthorized activity on its servers on July 27 of 2021. External security experts were hired to patch up the leaking database and investigate. The hired team found out that the threat actor who had gained unauthorized access to the data stored on the servers had access to "certain systems" on SuperCare's network between July 23 and July 27 - more than ample time to exfiltrate everything needed.

This is where things get very strange. SuperCare states that the "potentially impacted file" contained sensitive patient data only in early February 2022. What took the hired external help and the company's own IT staff more than six months to figure this out is not made too clear in the announcement.

What is made very clear, however, is that the information that the company believes was accessed contained a plethora of sensitive and personally identifiable patient information. The data set includes patient names, addresses, dates of birth, medical record numbers, health insurance information, diagnostic information, and "other health-related information".

An unlucky smaller percentage of the individuals affected by the data leak also "may" have had their social security numbers and driver's license numbers exposed in the breach.

Affected individuals informed in late March 2022

To make things even more confusing, SuperCare took another month between the discovery of the data leak and the date on which it informed the affected parties. Individuals affected by the data breach were informed about it just a couple of weeks ago, on March 25, 2022.

SuperCare stated they were not aware of any misuse or malicious handling of the impacted information, but that more or less means they have not been contacted by the third party who accessed the information and were not threatened with a leak. This still doesn't rule out the possibility that the data set was quietly sold in an underground marketplace.

Reporting on the data leak accident, SecurityWeek placed it among the top 50 biggest medical leaks by volume of affected individuals for the past couple of years.

April 11, 2022