A newly discovered BenefitMall phishing attack has led to the disclosure of 111,589 plan members’ protected health information.
BenefitMall, a department of Centerstone Insurance and Financial Services, noticed on October 11, 2018, that hackers had gained access to numerous worker electronic mail accounts as a result of their replies to phishing electronic mails.
Third party computer forensics specialists were called in to help with the probe and decide the scope and extent of the breach. The probe into the breach exposed those electronic mail accounts had been compromised over a period of 4 months, with the first account compromised in June 2018.
Swift action was taken to safeguard the breached electronic mail accounts and avoid additional unauthorized access; however, during the time that the electronic mail accounts were accessible, it is possible that electronic mails in the accounts may have been seen or copied by the attackers.
An analysis of the electronic mails in the breached accounts exposed they contained a variety of protected health information including plan members’ names, addresses, Social Security numbers, bank account numbers, insurance premium information, and dates of birth.
Law enforcement has been notified concerning the breach and letters have been sent to all plan members whose PHI was exposed. Those letters were sent on January 4, 2019, nearly 7 months after the first electronic mail account was compromised and nearly three months after the breach was noticed. It is unclear why the notifications to plan members were delayed. Under HIPAA, notifications should be issued within 60 days of the detection of the breach, although notifications can be delayed at the request of law enforcement.
BenefitMall has finished a review of its electronic mail security controls and has made enhancements to defend against further phishing attacks, including the implementation of 2-factor authentication. Staff has also received additional training to improve phishing consciousness. BenefitMall says more phishing awareness training will be provided to staff on an ongoing basis.