The East Valley Institute of Technology (EVIT) is informing over 200,000 individuals that their personal and health information was compromised in a recent data breach.
The incident occurred on January 9, when a threat actor gained unauthorized access to EVIT’s network, accessing sensitive information pertaining to current and former students, staff, faculty, and parents.
Potentially compromised information includes names, addresses, email addresses, Social Security numbers, dates of birth, driver’s licenses, student ID numbers, race/ethnicity, account numbers, medical information, financial aid information, and other student information.
Furthermore, medical information, including diagnosis, treatment and prescription details, health insurance details, mental and physical condition and treatment, and patient account numbers were also compromised.
Biometric data, login information (including usernames and passwords), payment card type, military ID numbers, and other information was also accessed, EVIT says, adding that the potentially compromised information varies by person.
The institute says it has notified the potentially impacted individuals and that it has found no evidence of the compromised data being published online.
“However, given the possibility that sensitive information may have been compromised, EVIT engaged a third party to conduct a thorough review of all potentially impacted files. This review concluded recently and identified your child as potentially impacted by the cyber-incident,” EVIT wrote in the notification letters sent to the impacted individuals.
The organization submitted a copy of the letter to the Maine Attorney General’s Office, revealing that a total of 208,717 individuals were potentially affected by the incident.
“This attack had a limited impact on our operations. We promptly took corrective steps to investigate the incident, secure our systems, report the incident to the three largest nationwide consumer reporting agencies and appropriate authorities, contain and remediate the threat, and notify potentially impacted individuals,” EVIT said.
The LockBit ransomware group took credit for an attack on EVIT in January 2024, threatening to leak data unless a ransom was paid. However, it’s unclear if the cybercriminals actually made any files public because the Tor-based website where they listed EVIT at the time has since been taken down following a law enforcement operation.
In response to the attack, the institute changed passwords, revoked permissions, deployed EDR software, replaced virtual servers, locked down VPN access, and performed domain cleanup.
EVIT is providing the potentially affected individuals with one year of free identity protection and ID theft recovery services.
Related: Verizon Subsidiary Settles With FCC for $16M Over Three Data Breaches
Related: Personal, Health Information Stolen From Pharma Giant Cencora
Related: Personal Information of Over 30,000 Students Exposed in Unprotected Database
Related: Over 50,000 Revolut Customers Affected by Data Breach
