Notice of Data Security Incident
November 24th, 2020
Metro Presort, Inc. Suffers Ransomware Attack
In May 2019, Metro Presort, Inc. (“MPI”) suffered a ransomware attack. MPI contained the ransomware threat relatively quickly and was able to resume regular operations. MPI’s initial investigation indicated that data files used for our operations were already encrypted and thus protected from the ransomware malware at the time of the incident. Further, there was no evidence that files were improperly accessed, used, or taken from MPI’s system. Subsequent investigations have further confirmed that there is no evidence of improper access, but there is a possibility that data files were not encrypted at the time of the incident. Accordingly, MPI is providing this notice, which includes details about the incident, information involved, and what individuals can do to protect information.
On May 6, 2019, cybercriminals deployed ransomware throughout MPI’s network that locked MPI out of its systems and prevented it from accessing information used to process mailings. The incident was contained by May 15, 2019. Nothing indicates that customer data was improperly accessed or left our network or system.
MPI initially believed that customer data files containing patient information for mailings were already encrypted at the time of the attack and thus were not accessible. In October 2020, it reinvestigated this incident and determined that it could not be certain that these files were encrypted before the attack. Thus, although there is no evidence of any improper access, there was a potential for unauthorized access of patient information.
Invoices, statements and spreadsheets that MPI processed for its clients, including clients in the health care industry, were potentially accessible. Depending on the document, the following categories of information was included: names, addresses, dates of birth, patient, health plan ID, or account numbers, treatment or appointment dates, and diagnosis or treatment codes.
Significantly, Social Security numbers, financial account information, private keys, and username and passcodes for secure accounts were not included in the data files.
The U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”), which is the federal agency responsible for enforcing the federal health information privacy law known as HIPAA, investigated the incident, MPI’s response, and MPI’s data privacy and security practices. On December 31, 2020, OCR issued a ruling finding no violations of HIPAA and closing its investigation.
MPI takes the security of its systems and information it processes very seriously. Both before and since this incident, MPI and has devoted considerable resources to maintaining and enhancing its data security, including implementation of the latest technical safeguards to prevent similar incidents, additional protections (encryption) of customer files, and security audits. We have also notified law enforcement and will cooperate with their investigation.
Again, there are no indication any personal information was actually improperly accessed, viewed, or used, but individuals should always be vigilant when receiving and responding to correspondence or inquiries from unknown sources. Individuals should regularly monitor personal accounts and information for any unusual activity. Individuals should immediately notify their financial institutions and healthcare providers upon noticing any unusual activities.
MPI deeply regrets this incident. If we learn additional information about this incident, we will update this notice.