Hospital Record Data Breach

I found this DakotaNewsNow story to be missing some important details;

A letter sent out by AAA Collections is informing many that their name and Social Security numbers could be compromised. The data breach stems from a period of three days in early September when the company’s computer system was compromised. By the time it was found and stopped, documents containing names and Social Security Numbers were copied. South Dakota law requires any large breach to be reported to the Attorney General’s office, as well as notices sent out to anyone that might have been affected.

• Who owns AAA? The company started in 1965 and at one point I think it changed hands between hospitals and a bank. I’m don’t know who owns them now.

• What hospitals/clinics were affected? Avera? Sanford? specialty hospitals? Falls Community Health? Why didn’t any of these institutions send out letters?

• Were laws broken about when they needed to inform clients? Is AAA responsible or the other institutions? It’s been around 90 days since the event took place, I believe they only had 60 days to inform clients.

I have heard from several people who got the letter. One of them is a patient at Falls Community Health. When did the city/county know, and when were they going to inform patients?

The speculation as to why this took so long was that AAA was trying to fix it internally hoping to avoid a disaster but that didn’t go so well.

Either way, I’m not sure why any scammer would want the Social Security numbers of people with bad credit.



13 comments ↓

#1 D@ily Spin on 11.25.22 at 10:39 pm

I’ve had AAA for the discounts. Here’s another disappointment. It seems that everything has become a con.

#2 XXX on 11.26.22 at 5:41 am

I’m always suspicious of companies that call themselves things like AAA or ZZZZ Best Carpet Cleaning. I wonder if the BBB would agree? But the other AAA I like, however. They have free maps and maybe a tow. I once had my car towed for free just to watch. I once stopped paying my bills, too, so I would have some friends. Some would call them collectors, I called them my phone buddies. They used to say you can find it in the Yellow Pages, but does that door stopper still exist? “N” is the fourteenth letter in the alphabet, but no one calls themself “NNN”, because that would take an effort. The beginning and end are much easier. Maybe Cliff Notes would help. But now it’s time to take the test. I hope I get an “A” and not a “F”. While a “C” would ironically mean less effort:

https://en.wikipedia.org/wiki/Barry_Minkow

#3 The Guy From Guernsey on 11.26.22 at 12:31 pm

In 2018, South Dakota became the 49th state* to enact a data breach notification statute (“We’ll eventually get around to some of this less important stuff. We’re pretty busy regulating school bathrooms here, ya know”).

The business which is subject to a large data breach has 60 days to provide notice. Copy of the letter pretty clearly states the time horizon of the breach as September 5 through September 7.

How does a news organization report on the notification (and include a statement from the AGs office), but does report the legal requirements of notification (nor press the AGs office for comment on that point)?
And, contact the business for an on-the-record statement?
JFC, even the staff at the Argus Leader would have made a call at 4:52 p.m. on Wed afternoon prior to the Thanksgiving holiday and reported “a representative for AAA Collections did not immediately return a call seeking comment on the incident”.

Since the system of Falls Community Health was not the subject of the breach, they wouldn’t be required to provide any sort of notice. In fact, they wouldn’t (shouldn’t?) even know the identity of those whose data may have been pilfered.

* Bonus trivia: At the time (2018), the lone remaining state to enact data breach notifucation legislation was … ?

#4 The Guy From Guernsey on 11.26.22 at 12:33 pm

“I’m not sure why any scammer would want the Social Security numbers of people with bad credit.”

meh, I don’t think identity theft has any requirement for a solid credit record.

#5 Very Stable Genius on 11.26.22 at 4:29 pm

Mississippi?

Selling identity theft on the dark web is probably a lot like selling used cars. Put some sawdust into the tranny and she’ll work for a few miles.

#6 VSG on 11.30.22 at 1:36 pm

Could someone please explain to me why Sanford showed a $500 million profit last year as a non profit? Based on my math, they over-charged all of their customers, I mean patients, by 10%. #StatuesThePentagonFieldHouses&FootballFields

( and Woodstock adds: “And how about that other place with the signatory water falls, huh?”…. )

#7 The Guy From Guernsey on 11.30.22 at 10:26 pm

At the time (2018), the lone remaining state to enact data breach notifucation legislation was … ?

Mississippi is always a solid spot to place a bet when asked, “which state is just behind South Dakota” … in anything.

But in this case, the answer is Alabama.

#8 VSG on 12.01.22 at 3:08 pm

Many ask why there are two Dakotas, while I ask why there’s a Mississippi and an Alabama.

AND, did you know that Mississippi did not ratify the 13th Amendment to end slavery until 1995? Better late than never, I guess.

#9 The Guy From Guernsey on 12.03.22 at 9:13 am

… but should it be East Alabama? Or West Mississippi?

Hank Jr., wrote about “North Carolina and South Alabam”, which doesn’t geographically align with this context.

#10 VSG on 12.03.22 at 1:26 pm

Did you know that the original petition to Congress to make Minnesota a state had the Sioux River as part of its western boundary? Which means a lot of Sioux Falls would have been in Minnesota, but luckily Taupeville would have still had been in South Dakota, however.

( and Woodstock adds: “Say, how does the “Full Faith and Credit Clause” apply to Limitless visits?”….. “And, just think, Minnesota could have then used our beautiful bike trail as its Maginot Line”…. 🙂 )

#11 VSG on 12.03.22 at 1:34 pm

Well, I think we all know what James Carville once said about Pennsylvania: “It’s Pittsburg to the left, Philadelphia to the right, and Alabama right up the middle”…

( and Woodstock adds: “Yeah, that’s probably why the Confederates made it all the way to Gettysburg…. because they still felt at home”…. )

#12 "Woodstock" on 12.03.22 at 1:37 pm

“Wow, at first I read that as ‘East Albania’, and I was like where is that in our fine country and how far away?”….. #DuaNation

#13 Fear & Loathing in Sioux Falls on 12.03.22 at 1:42 pm

But West Mississippi would then be east of the Mississippi. That might be too confusing for Confederates. Because they already have a problem at times flying both Old Glory and the Confederate flag from the back of their rusty pick-ups.

Which then leads me to another question: Why is North Sioux City found west of Sioux City? That’s a question I’m going to ask God someday along with why pizza is so good and who REALLY shot JR?