[BreachExchange] Hackers access personal data of SCAN Health Plan members

[Audrey McNeil]

http://www.scpr.org/news/2016/08/26/63985/hackers-access-
personal-data-of-scan-health-plan-m/

Hackers gained access earlier this year to personal data about current and
former members of Long Beach-based SCAN Health Plan, the company said
Friday. In some cases the intruders were able to view information about
individuals' medical conditions and medication, and "a small number" of
people's Social Security numbers may have been compromised, it said.

Company spokesman Ross Goldberg said he doesn't know how many people's
information was accessed by the hackers. SCAN has 170,000 members, he said,
adding that the intruders also gained access to personal data about
non-members who had provided information to company sales representatives.

The firm discovered the intrusion on June 27, according to a letter it sent
this week to current and former members and to non-members who had dealt
with sales reps. Outside experts later determined that the attack occurred
sometime between March and June, the company said.

"There is no indication that the information has been used fraudulently,"
SCAN said in Friday's statement.

Almost all of SCAN's customers are in the southern part of the state,
including Los Angeles, Orange, Riverside, San Bernardino and Ventura
Counties, he said. The vast majority are in Medicare Advantage prescription
drug plans.

The compromised documents were "contact sheets," which the company says are
used for sales purposes.  The hackers accessed names, addresses and phone
numbers, "and, for some individuals, date of birth, and limited health
information, such as doctor name, health condition, or medication name,"
according to SCAN's statement.

"A small number" of members' Social Security numbers "may have also been
included," it said.

SCAN member Bert Saavedra of Baldwin Park was distressed to receive the
Aug. 22 letter informing her about the electronic break-in. She wondered
why it took nearly two months for the company to inform members.

"If they got hacked between March and June why are they telling us in
August?" she asked.

"There should be a law, that … they have to tell the consumer within 24 to
48 hours so they can take steps," said Saavedra.

SCAN spokesman Goldberg said he was unable to comment on the amount of time
it took to alert members about the breach.

"Our top concern is protecting our members’ and prospective members’
information," he said. "We are conducting a thorough investigation and
ensuring that we take all necessary steps to maintain the trust of our
current and future customers."

Those affected by the hack have been offered a one-year free membership
with AllClear ID, a company that specializes in costumer data breaches,
credit monitoring and credit repair, he said.

The company said it notified the U.S. Department of Health and Human
Services, the Centers for Medicare & Medicaid Services and state regulators
about the hack.

The attack on SCAN was different from so-called ransomware attacks against
four southern California hospitals earlier this year. In those cases,
hackers took over computer systems in a bid to extort a ransom. One
hospital, Hollywood Presbyterian Medical Center, paid its attackers $17,000
in bitcoin to regain control of its computers.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160829/bc1e151d/attachment.html>