North American Risk Services, Inc. suffered a data breach between February 7 and March 27, according to the data breach notification sample sent to the Office of the Attorney General of California, with six hundred and four customers being affected by the incident.
North American Risk Services is a privately held company based in Maitland, Florida, and a national third-party claims administration (TPA) services provider which processes certain aspects of companies' employee benefit plans and helps other entities reduce insurance claims costs.
According to the data breach notification, North American Risk Services (NARS) found out about the security incident after noticing suspicious emails being sent from one of their employee's accounts.
Following an investigation performed with the assistance of a security investigator, NARS discovered that a small number of company e-mails were accessed by unauthorized actors beginning with February 7 until March 27.
Subsequently, on June 27, the security investigator learned that the affected e-mails contained private information, but was unable to find contact information for more than a 25% of the individuals and entities affected by the breach.
"The personal information found within the impacted email accounts includes a combination of the individuals’ names and one or more of the following: Social Security number, driver’s license number, financial account information, medical information, health insurance information, taxpayer/employer identification number or username and password," says the breach notification.
The data breach only affected North American Risk Services, Inc. customers from California
NARS was able to uncover contact info on another 50% of the affected and, because of the extensive time needed for finding the rest of the contact addresses, it decided to start notifying the affected parties on August 31.
Next, NARS found contacts for the other 25% who did not receive a data breach alert using their Social Security numbers to pinpoint their addresses with the help of a third party company which offers address locator services.
All contact info for affected customers was discovered on September 7, and North American Risk Services sent the second wave of breach letters on October 5.
As NARS states in their breach notification, between the first and the second wave of customer alerts, six hundred and four California residents received a notice letter.
"North American Risk Services is offering individuals impacted by this event with access to one (1) year of complimentary credit monitoring and identity restoration services," also says the breach notification.