The breach was first publicly reported by the city in October, several months after it occurred. The new information with the total number of people affected was contained in a notification the city made to the office of Maine's attorney general, which then made the notification public.
Individuals who were affected have received mailed letters from the city's Law Department.
The letters restate what was reported by the city in October, that on May 24, 2023, "the city became aware of suspicious activity in its email environment." An investigation assisted by third-party cybersecurity experts determined that between May 26 and July 28, an "unauthorized actor" gained access to certain city email accounts.
"The investigation did not determine conclusively that any information was actually accessed or acquired as a result of the event," but a review was launched nonetheless "to determine what information was potentially accessible and to whom such information relates."
The city said it recently completed that review and began issuing notifications. The letters state that, although no identity theft or fraud has been reported, the city is offering free credit monitoring, fraud consultation, and identity theft restoration services through a third-party provider.
The city has yet to offer an explanation for how the data breach occurred.
The notification to Maine, which was first reported by the Bleeping Computer, a technology news website, said the breach affected 35,881 people, including 15 Maine residents.
Andrew Richman, chair of compliance and legislation in the city's Law Department, confirmed in an email that notifications were made and directed a reporter to an updated city notification posted in June. People seeking information about the breach can call 1-866-898-0867, Richman said.
Richman said the city provided notification to Maine because of requirements under state laws.
"We take this event and information security very seriously," the updated notification states. "Upon learning of this event, we immediately took steps [to] further secure our systems and email environment. As part of our ongoing commitment to information security, we are also reviewing our existing policies and procedures, implementing additional administrative and technical safeguards to further secure information in our care, and providing additional training on how to safeguard information in our email environment. We are also reporting this event to government regulators, as necessary."
The types of "potentially impacted information" exposed by the breach vary by individual and could include names, addresses, dates of birth, driver's license information, Social Security numbers, financial account information, medical information, health insurance information, medical billing and claims information, and occupational health-related information.
The updated notification also states: "While our review was ongoing, the City's Department of Behavioral Health and Intellectual disAbility Services ("DBHIDS") mailed written notice to individuals whose protected health information was potentially impacted."
A separate notification regarding exposed health information was posted by the city in May.
The city last reported a significant email breach in 2020, which came following a successful phishing attack on an employee email account. That breach impacted individuals being serviced by DBHIDS, as well as a nonprofit known as Community Behavioral Health.
©2024 The Philadelphia Inquirer, Distributed by Tribune Content Agency, LLC.