Morley Companies Reports Security Breach Impacted 521,000


A cyberattack on Michigan-based business services provider Morley Companies, which was initiated on August 1 2021, prevented internal access to databases.

The Saginaw, MI-based group recently reported the breach to the Department of Health and Human Services’ Office for Civil Rights (OCR), confirming that cybercriminal successfully infiltrated their network, impacting the Private Health Information of a portion of its clients. 

Following the discovery of the breach, mitigation measures were swiftly implemented in order to isolate impacted sections of the network. In addition to this, an external group of cybersecurity  experts was contracted to review the beach and examine how it occured and how far it reached. It was quickly seen that the hackers stole a variety of different data and also succeeded in encrypting data on the Morley Company systems.

An in-depth investigation was carried out on every database file that may have been infiltrated by the cybercriminals. In tandem with Morley Companies identified all contacts that may have been impacted by this breach to prepare for making them aware that a breach may have impacted their PHI. 

collecting contact information for those individuals to allow notification letters to be sent. Morley Companies said that process was completed in early 2022. On February 1 this year the group initiated a campaign to broadcast notification letters and make these individuals aware of what had taken place.

Following the conclusion of the investigation it was revealed that the range of impacted data that could have been accessed or removed during the breach included names, address information, Social Security data, dates of birth, client ID numbers, diagnosis and treatment details, and health insurance specifics.

The group has made free membership to credit monitoring and identity theft security services available to those who had their PHI impacted in the breach. Additionally, Morley Companies has begun updating its security measures in order to make enhancements to its databases and avoid breaches like this happening going forward.

A breach report submitted to OCR has revealed that an estimated 521,046 individuals may have had their protected health information compromised. Law enforcement agencies have also been made aware of the security breach.