Atara Biotherapeutics Data Breach Exposes Medical Information

On November 2, 2023, Atara Biotherapeutics, Inc. experienced a network security incident involving unauthorized access to its internal systems. The company immediately launched an investigation with the help of external cybersecurity experts to assess the scope and impact of the breach. After a thorough forensic review and document analysis, Atara determined on June 10, 2024, that certain files containing personal information may have been accessed and acquired by unauthorized individuals.

The information potentially exposed in this incident includes full name, date of birth, digital signature, and medical information. The company has not disclosed the exact number of individuals affected, but notification letters were sent to each person for whom Atara had a last known address as of August 16, 2024.

The nature of the exposed information—especially medical data and digital signatures—means that the breach is considered serious. The company has not provided details about the specific method of attack or the identity of the perpetrators.

Atara Biotherapeutics' response

Upon discovering the unauthorized access, Atara Biotherapeutics engaged cybersecurity professionals and conducted a comprehensive investigation. The company has taken steps to enhance its internal security controls and continues to evaluate and update its privacy and data protection practices.

For those affected, Atara has provided clear guidance on steps to help protect their personal information. Individuals are encouraged to:

• Place a fraud alert on their credit files by contacting any of the three major credit bureaus (Equifax, Experian, or TransUnion).
• Consider placing a security freeze on their credit reports to prevent new accounts from being opened in their names.
• Obtain free credit reports annually from each of the three major credit bureaus and review them for discrepancies or unauthorized activity.
• Monitor financial account statements, explanation of benefits statements from health insurers, and credit reports for signs of irregular or fraudulent activity.
• Contact law enforcement and file a police report if their information is misused.

Additionally, Atara has provided contact information for its Assistant General Counsel and Privacy Officer for individuals seeking further information or assistance. The full details of the company’s notice, including additional resources and step-by-step instructions for protecting your information, are available in the official Notice of a Network Security Incident posted on Atara’s website.