DAP Health Data Breach Exposes PHI & PII of its Patients

On July 22, 2024, DAP Health detected suspicious activity within its email environment, which prompted an immediate investigation. A specialized third-party cybersecurity firm and internal IT personnel were brought in to secure the environment and conduct a thorough forensic investigation. The investigation revealed that an unauthorized actor had accessed and potentially acquired sensitive files and data stored in DAP Health’s email system.

The reconstruction and review process to determine the scope of the breach was extensive. By November 26, 2024, DAP Health identified the individuals whose sensitive information was impacted. This breach is significant due to the volume and sensitivity of the data involved, as DAP Health serves approximately 85,000 patients across its 26 fixed locations and eight mobile units.

The types of consumer information potentially exposed in this breach include:

• Name
• Address
• Phone number
• Date of birth
• Social Security number
• Patient ID
• Medical records number
• Medical treatment location
• Medicare/Medicaid number
• Health insurance plan/policy number
• Cost of medical treatment/insurance
• Diagnosis, treatment, and procedure details
• Medical history and allergies
• Prescription drugs taken or written
• Test results, images, and vital signs
• Date of admission or treatment
• Healthcare provider name
• Financial account number
• User ID and password
• License plate or vehicle identification number (VIN)
• Driver's license number
• Passport number
• Birth certificate number

The breach was formally disclosed to the California Attorney General’s office on December 27, 2024.

DAP Health's Response

Upon discovering the breach, DAP Health acted swiftly to secure its systems and mitigate risks. The organization engaged cybersecurity experts to investigate the incident and assess the damage. A detailed reconstruction of the affected email environment was conducted to identify the individuals whose information was compromised.

DAP Health has notified affected individuals and is offering complimentary credit monitoring, credit reports, and credit score services for 12 months. These services include proactive fraud assistance and alerts for any changes to credit files.

The organization has partnered with Cyberscout, a TransUnion company, to provide these services. Affected individuals are required to activate the services themselves within 90 days of receiving the notification letter.

Affected by the DAP Health data breach?

If you have been notified that your information was part of this breach, it is important to take immediate steps to protect yourself. Here’s what you should do:

1. Enroll in the free credit monitoring services provided by DAP Health. Follow the instructions in the notification letter, and use the unique code provided to activate the service within 90 days.
2. Monitor your financial accounts and credit reports for any suspicious activity. You are entitled to one free credit report annually from each of the three major credit bureaus (Equifax, Experian, and TransUnion). Visit Annual Credit Report to request your reports.
3. Consider placing a fraud alert or credit freeze on your credit file. A fraud alert notifies creditors to verify your identity before extending credit. A credit freeze restricts access to your credit report, preventing unauthorized credit applications. Both options are free and can be set up by contacting the credit bureaus directly:
1. Equifax
2. Experian
3. TransUnion

1. Be cautious of phishing attempts. Cybercriminals may use your exposed information to impersonate trusted entities. Avoid clicking on suspicious links or providing personal information over the phone or email.
2. Report any suspected identity theft to the Federal Trade Commission (FTC) at IdentityTheft.gov. The FTC provides resources to help you recover from identity theft.
3. Contact law enforcement if necessary. If you believe you are a victim of fraud, file a police report and retain a copy for your records.