Data Breach Notifications

Entity Information

  • Type of Organization: Healthcare
  • Entity Name: ACE Surgical Supply Co., Inc.
  • Street Address: 1034 Pearl St.
  • City: Brockton
  • State, or Country if outside the US: Massachusetts
  • Zip Code: 02301

Submitted By

  • Name: Rahul Mukhi
  • Title: Partner
  • Firm name (if different than entity): Cleary Gottlieb Steen & Hamilton LLP
  • Telephone Number: 2122252912
  • Email Address: rmukhi@cgsh.com
  • Relationship to entity whose information was compromised: Attorney

Breach Information

  • Total number of persons affected (including residents): 3574
  • Total number of Maine residents affected: 28
  • If the number of Maine residents exceeds 1,000, have the consumer reporting agencies been notified:
  • Date(s) Breach Occured: 6/29/2021
  • Date Breach Discovered: 6/29/2021
  • Description of the Breach:
    • External system breach (hacking)
  • Information Acquired - Name or other personal identifier in combination with:

Notification and Protection Services

  • Type of Notification: Written
  • Date(s) of consumer notification: 10/6/2021
  • Copy of notice to affected Maine residents: Notification and Attachment.pdf
  • Date of any previous (within 12 months) breach notifications: 7/28/2021
  • Were identity theft protection services offered: Yes
  • If yes, please provide the duration, the provider of the service and a brief description of the service: On Tuesday, June 29, 2021, ACE discovered that certain company files were accessed without authorization in a ransomware cyberattack. Upon discovering this incident, ACE began an investigation to understand the scope of the incident, secured the Company’s information technology systems, and contacted law enforcement (the Federal Bureau of Investigation). As set forth in our July 28 notification, ACE initially determined that three (3) Maine residents were affected and provided notification and credit monitoring. More recently, in September 2021, after investigation, ACE determined that the affected information that may have been obtained without authorization also included that of twenty-five (25) ACE customers who are Maine residents. The affected customer information included individual and/or business names, contact information, and DEA and physician state license numbers. Although it does not appear that this information falls within the definition of personal identifying information requiring notification, ACE is notifying the customers and offering them credit monitoring in an abundance of caution. Written notifications were sent via U.S. Mail to Maine residents on October 6, 2021. While ACE knows files were compromised, as of this time, we do not have any evidence that the information in those files has been made public or that any identify theft fraud has been committed to date. ACE’s investigation is ongoing.