A Maricopa Community College faculty member echoed a sentiment that was repeated several times to Northeast Valley News by other staff—namely, that Maricopa Colleges, “Need to spend less money on costly “ornate” programs and positions and more on safeguarding current faculty and staff.”
A Northeast Valley News exclusive investigation reveals that on Mar. 13, 2023 Kannact Inc., a third-party healthcare vendor from Maricopa’s internal system, experienced a data breach which exposed personal information of more than 103,000 individuals nationwide, including Maricopa County Community College District employees (and many of their minor children)— via employees enrolled along with their family members, in MCCCD’s health insurance plan.
The incident was reported to the HHS’ Office (Health and Human Services) for Civil Rights on June 20, 2023 as affecting up to 103,547 individuals.
Northeast Valley News has reviewed documents, letters and emails sent to MCCCD faculty and staff regarding various communication from Maricopa district representatives.
In one letter to an employee affected by the data breach, dated August 28, Kannact explains that they provide “health coaching and assistance” and information including health insurance ID numbers, phone, DOB, Social Security numbers and names were “transferred” in order to “determine their eligibility to enroll in Kannact’s health coaching services.”
Maricopa County Community Colleges Chief Information Officer, Charles Coolidge told Northeast Valley News that the breach was reported to the benefits department April 28 and Kannact notified the District’s incident response team on May 1.
“Why did it take so long for Maricopa to alert us about our possible data breach?” asked one faculty member.
Coolidge told Northeast Valley News that on June 8, 2023, “We learned there were actual Maricopa employees and enrollees that had their data compromised. Because prior to that, we were understanding from Kannact that there were no employees or enrollees whose data was compromised,” Coolidge said.
According to Kannact, on or around June 8 is when their third-party forensic data mining company identified all files in the system that were compromised.
Coolidge detailed the actions that the District took.
“We quickly collaborated with our outside cybersecurity council as well as Kannact to make sure it was mitigated quickly and worked with Kannact accordingly to make sure the outreach was sent to employees and enrollees within that 45-day period, which is the standard operating procedure. And then paired that with the call center information to assist with anybody affected in offering that one-year subscription to LifeLock identity protection services, again, per protocol,” Coolidge said. “We were also informed that Kannact would notify all regulatory authorities, state agencies, etcetera, as required.”
Even though Maricopa Community Colleges own information system has experienced at least two additional cyberattacks in the past eight years, Coolidge seemed confident in the district’s cybersecurity protections.
Some Maricopa faculty questioned Coolidge’s assertion that call center assistance information was sent in a timely manner and wanted to know why the district waited so long to communicate to employees.
“I mean we didn’t even know who our health insurance carrier was going to be or what would be happening—all because Maricopa wanted to skimp on costs? We waited for information. And then the data breach?”
“There was some kind of notice given early on to district but Maricopa sat on it,” said one long time Maricopa employee who is familiar with what they describe as “a lack of transparency from Maricopa” after a previous employee data breach.
Even though the breach itself is on Kannact—lack of communication and transparency from Maricopa has some faculty and staff troubled.
Coolidge told Northeast Valley News, “Kannact services are all outside of our protocol systems. The fact that they were hacked on their platform is why we have been working directly with them, as well as the outside council that Maricopa has brought in, in addition to the outside cyber council to make sure all of our platforms and procedures are in accordance to protect all the information that we have internally. So, we feel very good about how our platform works…unfortunately, something happened in the Kannact world that impacted that negatively,” Coolidge said.
In a recent teleconferencing interview with Northeast Valley News, Kannact’s Chief Operating Officer, Nandan Rao said that 8,734 MCCCD employees and their dependents were affected by the March 2023 data breach.
Rao indicated that the individuals affected were members of MCCCD health plan who were eligible for Kannact’s health benefits.
“The benefit that we offer to Maricopa employees is health and wellness coaching. However, it’s coaching that is offered to people with a set of chronic conditions only,” Rao said. “The files that were impacted with Maricopa were what we call eligibility files. So it’s files that had mobile numbers, date of births, name, but also, very importantly, Social Security numbers.”
Northeast Valley News spoke with several faculty members who wished to remain anonymous for fear of retribution and said that their information was breached even though they had not signed up for the wellness coaching program nor were they made aware that their names were enlisted in the Kannact system that Rao outlined.
One MCCCD employee who spoke to Northeast Valley News said they were “irate” when they found out their personal information had been accessed— but worse, their minor children’s Social Security numbers and other personal information was also breached.
“That’s probably for me, the biggest frustration—as an adult and as an employee, there’s always going to be breaches of some of this kind of information. But when it’s my health data, and my children’s health data, that’s when it becomes a little bit more,” the employee said.
Another faculty member who says they were never interested in or sought out Kannact’s health coaching services, said, “Making the transfer of their information was completely unnecessary.”
“Fortunately, my health is fairly good. I don’t access a lot of their wellness programs because I have my own things that I do outside of here. So that wouldn’t be something that would be of interest to me.”
According to Rao, the breach occurred through a third-party file transfer protocol (FTP) software system after their personal and medical information had been transferred from Aetna, the District’s health care provider.
“This FTP transfer software is the same software that is used by hundreds of health care companies that were impacted by the same breach,” Rao said. “This software system was accepting files from partners we work with. And so, then the files were sitting on that system, the attacker gained access to the system and therefore gained access to all files that were sitting on that system—that had been transferred to that system from our partners.”
Rao told Northeast Valley News that all of the files that were being stored on the system were potentially downloaded, or “exfiltrated” from the transfer software.
“What we know, is that this threat actor gained access to our system and exfiltrated, or could have exfiltrated the data,” Rao said.
Another Maricopa faculty member close to district administration told Northeast Valley News,
“The data security breach apparently occurred as far back as March. We began to get some communication about it in July and then in August a letter was sent that essentially said ‘everybody’s potentially been affected’ this was just before classes started. There was a general email in July that basically read “you may or may not have been affected” but my kid’s and my wife’s personal information were affected and their Social Security numbers, address, phone, and other information has been compromised.”
“Basically Aetna was transferring all of our personal healthcare information to a third party “wellness” company called Kannact.”
“First of all this is the district’s dye—they chose Aetna, why—because it’s cheaper—to keep down costs—I don’t know, but my question is this—was Aetna selling our data? Did we implicitly opt in to this third party wellness program that I don’t think anybody asked for?”
Rao said that the one year of identity protection that his company has offered those individuals affected by the breach, is what is required by law, but that they would consider offering additional coverage to affected minors after a cybersecurity expert familiar with Northeast Valley News said that cyber-criminals often hold personal information of minors until they are old enough to effectively target their personal information.
Cybersecurity experts warn of risks after a data breach
Northeast Valley News told Rao that a cybersecurity expert, familiar with the breach, said that one year of monitoring the compromised information of minors was “laughable.”
Another cybersecurity expert who spoke on the condition of anonymity and who holds government clearance in his position with an out of state cybersecurity company told NEVN, “This kind of data breach can potentially produce serious issues for individuals.”
“When data breaches retrieve Social Security numbers of minors it’s a landmine of potential fraud and future identity theft. These are sophisticated hackers that know just how valuable a minor’s Social Security number and other personal information is to fraud and crime. Parents should continue to monitor children’s personal information well into their young adult lives,” said the expert. “It’s unfortunate, but that’s the world we are in, I see this every day on a much larger scale.”
Another local private cybersecurity expert, Daniel Hillburn from, Rapp It Up Wireless Security Company—a sister company to RIU cybersecurity and located in the Valley, agreed to speak on the record with Northeast Valley News.
Rapp It Up is an identity theft company and RIU is cybersecurity for small businesses and Hillburn told Northeast Valley News in November that the one year of credit monitoring offered by Kannact or the district is “ridiculous.”
“Absolutely not enough, and here’s why. These children won’t be applying for jobs, they won’t be applying for credit for cards and houses and student loans and stuff like that for probably a year to ten years away—or maybe even 18 years. When they steal the information, they sell it. The people stealing it are never the ones using it. They steal the information then they sell it on the dark web in bulk. So, what needs to be done is that entire amount of data—which I’m sure is a lot, needs to be encapsulated and then all of that data needs to be tracked on the dark web forever.”
“I’d be asking for a lifetime subscription to any type of credit monitoring organization. Or at least twenty years for all of the people who have had this breach. The standard is usually three years for when a company has a breach—they are mandated by law to provide credit monitoring services. One year is ridiculous and I would never accept that,” Hillburn said.
When asked how often this happens at colleges and universities, Hillburn said it happens all the time.
“However, like many other organizations, colleges and universities do not report it until it is much later after the breach. I do not believe they are held to the same standard as enterprises and large companies. They have to now [report the data breach] only because they were forced to by the government to have a timetable which is usually thirty days, they have to declare the breach and all of the details, Hillburn said.
“They have to connect—contact anyone associated with the breach and present them with the minimal credit monitoring. But this is a unique situation, where they have stolen children’s social security numbers and all of their contact data, so this data is going to be sold over, and over, again on the dark web. So that is a huge problem.”
Hillburn told NEVN that hackers often target minors.
“For the standard reason I gave you, because they like medical records and because they can sell that data continuously. There will be a lifespan of their data but because they are children, and maybe they haven’t even created credit files, that data is very valuable.”
He advised those affected by the data breach whose minor children were involved too, “Reach out to subject matter experts to provide them with some insights and some guidance and adhere to a standard.
“I’m not sure what standard the colleges and universities are adhering to at this point, but there are varying levels of standards, COBIT, NISS, ISO, 27001/27002/27003 (all cybersecurity units for information security) that they should be looking to as their guidance on where to be as requirements to secure their data,” Hillburn said.
When Northeast Valley News’ requested the initial interview with Kannact—it was delayed and NEVN was told that Kannact needed to check with Maricopa first before answering our questions
Rao with Kannact sent Maricopa’s Coolidge an email on Nov. 30, 2023 stating, “Please let us know if you have any concerns with us talking about the data breach and the impact on MCCCD employees with Northeast Valley News, or if there is anyone else on your team we should consult with first.”
Coolidge responded the same day to Rao with the following message, “Looping in our General Council.”
Northeast Valley News sent an email dated Dec. 5 to both Rao and Coolidge along with their respective organization teams informing them that our reporter/s would be pursuing the investigation regardless and Northeast Valley News would not be waiting for approval from the Maricopa “General Council.”
“Maricopa Community Colleges owes a full and transparent explanation and should offer as much information as possible to those employees who have had their vital personal information compromised. There were also several reported minor children’s information that was breached and could possibly impact their credit identity and viability for years to come.”—Northeast Valley News
To his credit, Rao, of Kannact responded to our interview and told Northeast Valley News with regard to additional credit monitoring, “We are absolutely prepared to go above and beyond that, and we have in other cases,” Rao said. “Especially if there are individuals that are particularly concerned about minors, we’d be happy to support them.”
Northeast Valley News was told that those employees should reach out to Kannact and MCCCD directly for further support.
After consulting with his support team members, Rao sent the following email statement to Northeast Valley News on Jan. 23, 2024.
“In reaction to the point raised by Northeast Valley News, Kannact has discussed the issue with their cyber protection agency and has decided to offer extended 2-year ID theft protection for minors. Additionally, Kannact is willing to renew those ID theft protection subscriptions after 2 years for minors, to extend coverage even further. In order to extend coverage to minors, the employees or ex-employees of Maricopa Community Colleges will need to speak to the MCCCD HR department in order to request additional codes that qualify their associated minors. The MCCCD HR department will be able to coordinate the additional codes and continued coverage with Kannact.”
Rao also told Northeast Valley News that around the time of the attack, his company hired a new head of security who has reportedly been working to improve Kannact’s “security posture”.
“We’re doing more and more certifications and more and more testing to make sure that we can show everybody the increased security of our systems in general, Rao said.
Rao said Kannact has also taken measures specifically in response to the March, 2023 breach.
These measures included shutting down the systems that were breached and replacing the software with “open source” software that “has been checked to make sure it doesn’t have the same vulnerability.”
Rao says they have taken other technical measures including reducing the number of application programming Interfaces (API) and the amount of stored data in their information systems.
“We understand that we cannot change the past and that offering protection does not change the breach of trust incurred by this incident. As a small company, however, we are proud of the fact that we are able to continually improve our systems and security to prevent as many breaches as possible. While we live in a world in which breaches will continue to occur, we stand by being as transparent as possible when they do occur and offering as much support as we can to everyone impacted,” Rao wrote in the emailed statement following his interview with Northeast Valley News.
Rao was unable to comment on any pending lawsuits against Kannact as a result of the breach.
Maricopa employees say they just want to know when the district will start investing district funds in order to protect their personal information and fix employee services instead of subsidizing programs and positions that are unnecessary and costly.