Personally Identifiable Information (PII) & Personal Healthcare Information (PHI).
A phishing email targeting a healthcare company transmitted a link taking recipients to an official-looking website and directing them to enter their credentials. Based on similar incidents occurring on the Office 365 platform, the company was directed to work with a privacy counsel and forensic firm whose investigation revealed that approximately 20 users’ inboxes were compromised in the attack.
It could not be determined whether the attacker had downloaded the entirety of each mailbox. To determine whether there was an obligation to notify patients, the 20 inboxes needed to be programmatically searched for PII (Personally Identifiable Information) and PHI (Personal Healthcare Information). The search revealed upwards of 350,000 unsearchable documents, which then required manual review by a vendor. The programmatic and manual review of documents, forensic costs and legal fees alone cost just under $800,000. The cost of notification, call center and credit monitoring was an additional $150,000.