DSSW says data breach affected 4,000
A San Antonio nonprofit that provides services to disabled people and the elderly was the victim of a data breach two months ago.
Disability Services of the Southwest said Monday that one or more “intruders” infiltrated its website Sept. 28 and may have gained access to information about current and former employees at its offices across the state.
The nonprofit initially disclosed last week that a “HIPAA data breach” had occurred, but later said it erred in describing it as such. HIPAA is shortand for the Health Insurance Portability and Accountability Act, which protects patient health information from being disclosed without a patient’s consent.
No personal health information was involved in the breach. Employee information that may have been accessed includes names, addresses, phone numbers and email addresses, as well as job and location information.
Social Security numbers and bank account information were not accessed, Marjorie Costello, DSSW’S chief administrative officer, said in an email.
The organization employs about 2,000 people at its offices across Texas, but as many as 4,000 current and former employees may have been affected. An unknown number of prospective employees also may have had their information accessed.
DSSW notified the Texas Attorney General’s office of the data breach Wednesday, Costello said. The breach does not yet appear among the reports on the state agency’s website.
Costello said it did not lose access to its websites because of the breach, only “databases associated with our websites.”
In the news release, DSSW said the breach occurred on the systems of Internap Holding Inc., which operated the nonprofit’s website at the time.
“The intruder or intruders placed ransomware on the platform provider’s servers,” DSSW said. It did not pay any money to the intruders, Costello said.
Internap didn’t respond to requests for comments.
Techradar, an online publication that writes about technology products, reported that the cloud and data company experienced a ransomware attack from 2:11 a.m. to 5:41 a.m. Sept. 28 before it was discovered later that morning.
Internap, also known as INAP, was not able to recover its customers’ services because of the attack, Techradar said.
As a result, INAP said in a statement it would no longer provide database, web hosting and email hosting services. Techradar found the statement on an in
ternet archive website after it had apparently been removed from INAP’S incident report page.
Costello replied “no comment” when asked if her organization was contemplating legal against against INAP.
DSSW says on its website that it is licensed by the state to provide a variety of services to persons with disabilities, including community living assistance and home care. It operates offices in 10 cities outside San Antonio.