BreachExchange mailing list archives
Third-Party Vendor Phishing Attack Breaches 31, 000 Patient Records
From: Destry Winant <destry () riskbasedsecurity com>
Date: Sun, 13 Jan 2019 22:59:45 -0600
https://healthitsecurity.com/news/third-party-vendor-phishing-attack-breaches-31000-patient-records Managed Health Services of Indiana Health Plan is notifying about 31,000 patients of a potential breach to their personal data, caused by a phishing attack on a business associate. According to officials, several employees of LCP Transportation, an MHS vendor, responded to phishing emails around July 30, which gave a hacker remote access to these accounts for more than a month. LCP Transportation disabled the impacted accounts on September 7. The vendor launched an investigation in partnership with a third-party forensics firm. Officials said they found the emails contained patient data, which included names, insurance ID numbers, addresses, dates of birth, dates of service, and medical conditions. LCP Transportation notified MHS about the breach on October 29. MHS then launched its own investigation. Notifications went out on December 20, and all patients are being offered a year of free credit monitoring. “We have tested the email process with them to ensure it is working correctly,” MHS said in a statement. “Our vendor is making improvements to their system security and conducting employee training about cyber risks.” The same day MHS notified patients of the third-party vendor hack, officials announced a second breach caused by a mailing error. On October 16, protected health information was unintentionally disclosed when a letter about a pharmacy change was incorrectly mailed to the wrong member. Officials learned of the event on October 25. The information contained the names, insurance IDs, and medication information of about 576 plan members. According to the notice, MHS is calling patients to retrieve all of the letters mailed to the wrong recipients. Officials are also reinforcing mailing policies and procedures around patient data and reviewing the process around sending mailing addresses to its national mailing center. MHS joins two other organizations that reported multiple breaches in December. Blue Cross Blue Shield of Michigan reported a laptop theft and a ransomware attack on its service provider, Wolverine Solutions. Meanwhile. Humana reported three breaches last month: a breach on its business associate, a theft, and a phishing attack on Family Physician’s Group, owned by Humana. _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- Third-Party Vendor Phishing Attack Breaches 31, 000 Patient Records Destry Winant (Jan 14)