OneTouchPoint Data Breach Reaches 2.65M Individuals

2,651,396 people have now been impacted by the ransomware attack on OneTouchPoint, a mailing and printing company located in Hartland, Wisconsin. Common Ground Healthcare Cooperative is one of the most recent organizations to announce that it had been affected by the attack, with 133,714 of its members affected. 

On April 28, 2022, OneTouchPoint had detected suspicious activity on their systems. The company discovered that files on its systems had been encrypted by an unauthorized third party. A comprehensive forensic investigation was launched in collaboration with a cybersecurity firm to determine what information had been encrypted and how the breach took place. The investigation concluded that OneTouchPoint’s files containing sensitive user data had been accessed by malicious actors on April 27, 2022. On July 15, 2022, the company confirmed that information relating to current and previous members of staff and customers was obtained. The information related to customers included full names, birth dates, addresses, subscriber ID numbers, diagnoses, medications, addresses, sexes, physician demographics information, family histories, social histories, allergies, vitals, immunizations, and other information. For information relating to employees, names, healthcare member IDs, and information provided during health assessments were all included. 

OneTouchPoint had initially notified the ransomware attack as it affected 1.1 million people. However, the total of affected individuals has now risen to 2,651,396. Organizations involved in the breach include Matrix Medical Network, Blue Shield of California Promise Health plan Kaiser Permanente, Geisinger, Health First, UPMC Health Plan, Humana, Aetna ACE, Anthem Inc, and other Blue Cross Blue Shield affiliates. On behalf of its clients, OneTouchPoint has vowed to inform affected individuals about the attack. However, some customers have chosen to submit breach notifications themselves. Despite the size of the attack, OneTouchPoint was unable to identify any misuse of the information collected in the ransomware attack. The mailing company has offered credit monitoring and identity theft protection services to affected individuals free of charge. 

OneTouchPoint has already received one class action lawsuit for the data breach on behalf of affected individuals. The plaintiff seeks compensatory damages for the risk of identity theft and fraud they now face as a result of the breach.