Breach Report Statement — Optimsync

Notification of Incidents or Breaches



1 Incident summary

On 2 March 2025 our SOC detected that an attacker signed in to the  support@optimsync.com  mailbox via stolen OAuth refresh tokens, giving read-only access to a CSV file containing 2 000 patient records (name, date-of-birth, outpatient diagnosis code). The session was terminated in 23 minutes; no financial or SSN data were present. 
  • Discovery date: 2 Mar 2025
  • Containment completed: + 1 hour (disabled token; forced MFA)
  • Breach type: Unsecured ePHI disclosure (45 CFR 164.402)
  • Decision: Notification required (high probability of compromise)


2 Four-factor breach-risk assessment (HIPAA § 164.402)

Title
Title
Title
Factor
Key findings
Score (1-5)
PHI nature / identifiability
Name, DOB, ICD-10 code — personal identifiers present
4
Unauthorized person
External attacker, identity unknown
4
Acquired or viewed
O365 audit logs confirm two CSV downloads
5
Mitigation
Token revoked; password reset; MFA enforced within 60 min
2
Total = 15 / 20 → High – Breach; notification mandated 
Privacy Officer sign-off: 【Signature / Date】



3 Notification actions & evidence

Title
Title
Title
Title
Required notice
Date sent
Attachment
Regulatory clause satisfied
Individuals (2 000) – personalised letters containing five required elements (what happened, PHI types, mitigation, steps individuals can take, contact info)
15 Mar 2025 (13 days)
B_IndividualNotice.pdf
§ 164.404(a-c)
Media – press release to State Health News (≥ 500 residents)
15 Mar 2025
D_MediaNotice.png
§ 164.406
HHS / OCR breach portal – submission ID #2025-12345
20 Mar 2025
D_OCRConfirmation.pdf
§ 164.408
Business-associate chain – not applicable (breach on CE systems)
§ 164.410
Law-enforcement delay – none requested
§ 164.412
All notices were completed within the 60-day statutory window.


4 SOC 2 CC7 mapping

Title
Title
SOC 2 criterion
Evidence artefact
CC7.3 – Evaluate events
Signed four-factor worksheet (A_RiskAssessment.pdf) demonstrates formal evaluation.
CC7.4 – Respond & contain
Jira timeline + Slack war-room transcript (C_Timeline.pdf) shows rapid containment, media/individual/HHS communication.
CC7.5 – Recover & improve
Post-incident review (E_RCA.pdf) documents root cause (token theft), fixes (OAuth token hardening), and scheduled MFA rollout audit.


5 Lessons learned & continuous improvement

  • Technical – Enable Conditional Access token protection for all privileged mailboxes; completed 5 Apr 2025.
  • Process – Add explicit OAuth-token theft scenario to annual tabletop catalogue.
  • Testing – Next full-scale drill scheduled Q1 2026; results to be logged in IR metrics dashboard.Periodic testing and metric tracking satisfy SOC 2 CC7.5’s “periodically evaluates incidents” requirement.


6 Evidence-bundle index (to upload with this document)

Title
Title
File name
Contents
A_RiskAssessment.pdf
Signed four-factor worksheet (HIPAA § 164.402)
B_IndividualNotice.pdf
Redacted sample letter to affected individuals (HIPAA § 164.404)
C_Timeline.pdf
Jira export showing detection → containment timestamps
D_OCRConfirmation.pdf
PDF print of OCR submission “received” page (HIPAA § 164.408)
D_MediaNotice.png
Screenshot of press release on  optimsync.com  (HIPAA § 164.406)
E_RCA.pdf
Post-incident review & corrective-action tracker (SOC 2 CC7.5)
All artefacts must be retained ≥ 6 years per HIPAA § 164.414(b). 


7 Approvals

  • Incident Commander (CTO) ………………………… 【Signature / Date
  • Privacy Officer ……………………………………… 【Signature / Date】
  • CISO / Executive Sponsor ……………………… 【Signature / Date】




Submission guidance for Drata

    Export this document to PDF.
    Attach the PDF plus the six numbered artefacts above to Drata request “Notification of Incidents or Breaches.”
    In the evidence comment, note:“Breach discovered 2 Mar 2025; letters sent 15 Mar 2025; OCR submission 20 Mar 2025. All supporting files attached.”