DAE Get Sick of Hearing About Accounting Firms Getting Their Data Breached?

Another small accounting firm has reported a data breach involving the protected health information of a whole lotta people.

On October 7, Dohman, Akerlund & Eddy, LLC (or DA&E as we’ll refer to them for the remainder of this article) of Aurora, Nebraska sent out letters to 82,207 people whose data — including name, address, date of birth, Social Security number, medical treatment/diagnosis information, dates of service, health insurance provider name, health insurance claim information, and/or treatment cost — was accessed through a breach of their network in February of this year. As is required by the law, they also filed a breach notification with the attorney general of Maine as 19 of those 82,207 people are residents of the state.

We wrote about a similar breach just a week ago (see: A Firm With 55 People Finds Itself at the Center of a Data Breach Affecting 127,431) and wondered out loud at that time how a tiny little accounting firm with 55 people working there would find itself in possession of the medical/treatment information of 127,000 people. In the case of DA&E, we don’t have to wonder. They spell it out in a press release put out today.

It said:

Dohman, Akerlund & Eddy, LLC (“DA&E”) announces a data incident that impacted some protected health information stored on its network. DA&E provided auditing services to some Aurora area hospitals.

As far as the breach itself, DA&E detected suspicious activity on its network on February 28, 2024. They brought in third-party specialists to conduct an investigation and determined “an unknown party accessed certain files” on the network (duh). The press release says the files were accessed on the 28th but the notification filed with the Maine AG says it was February 11.

Well whatever. Here’s what happened after discovering the breach, bringing the experts in to figure out how bad it was, and concluding the investigation on September 26:

DA&E began a comprehensive review of the files at issue to determine the information the files contained and to whom the information related. DA&E’s review included the assistance of third-party data review specialists and determined the potentially impacted information included the following types of information related to some patients of hospitals in the Aurora area including name, address, date of birth, Social Security number, medical treatment/diagnosis information, dates of service, health insurance provider name, health insurance claim information, and/or treatment cost. [Emphasis ours]

DA&E notified law enforcement of the incident. The firm “has no reason to believe any of the information described above has been misused” but is providing 12 months of credit monitoring and identity protection from IDX including CyberScan dark web monitoring. IDX Complete costs $355.32 a year which means the retail cost to cover 82,207 people for just a year would be more than $29 million. Surely the firm isn’t paying retail.

DA&E is presumably too small to appear at all on the INSIDE Public Accounting Top 500 (the last firm on the list is Shannon & Associates of Kent, Washington with revenue of $6,063,000). According to this their revenue is $3.5 million, Dun & Bradstreet says sales revenue is $0.86 million. Who knows, who cares.

In a separate consumer notification that appears to be related to this breach as it occurred during the same time period, 3,687 people were notified that their name and Social Security number were accessed by whoever was digging around in DA&E’s network back in February.

Anyone else feel wildly uncomfortable about your private medical information just sitting there on some tiny accounting firm’s server ripe for the looting by bad actors?