One of New York’s largest nonprofits suffers data breach

People Inc. says an employee email account was the source.
Written by Charlie Osborne, Contributing Writer

People Inc., one of western New York's largest non-profit agencies, has revealed a data breach which has exposed sensitive medical information belonging to current and former clients.

This week, the non-profit human services agency said that an employee email account appears to be the source of the leak, in which a vast array of client data has been exposed.

In total, it is reported that up to 1,000 clients may be involved.

People Inc. offers residential care, employment assistant, community outreach programs, healthcare, and recreation schemes for seniors, the vulnerable, and both the families and those who have disabilities.

The non-profit discovered the breach on February 19, 2019. An unknown hacker had managed to infiltrate an email account belonging to an employee of the organization. A second email account may have also been compromised, but People Inc. has not been able to verify whether or not this is the case.

TechRepublic: How to protect your network just like a bank ATM

The accounts in question contained personal, sensitive information belonging to clients. Names, addresses, Social Security numbers, financial data, medical information, health insurance details, and government IDs have potentially been compromised and stolen.

However, the non-profit has not received any reports of this information being actively abused, as of yet.

The first compromised account may have permitted entry due to a weak password and could have been susceptible to a brute-force attack, as People Inc. said that a password reset was enough to secure the email account. The second account has been disabled outright.

People Inc. hired a cyberforensics firm to investigate the case and has informed the FBI. Clients were made aware of the data breach on May 29 and free credit monitoring services to those impacted are on offer.

CNET: Hackers steal credit card information from Checkers fast-food chain

Nonprofits and medical organizations are common targets for hackers on the quest for data, given the client and patient data they hold has value for sale and identity theft. In March, a data breach stemming from Canada's Natural Health Services (NHS) exposed the personal information of roughly 34,000 medical marijuana users.

See also: Unsecured database exposes 85GB in security logs of major hotel chains

The worst cyberattacks undertaken by nation-state hackers

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards