[BreachExchange] Third-Party Vendor Phishing Attack Breaches 31, 000 Patient Records

Destry Winant destry at riskbasedsecurity.com
Sun Jan 13 23:59:45 EST 2019 

https://healthitsecurity.com/news/third-party-vendor-phishing-attack-breaches-31000-patient-records

Managed Health Services of Indiana Health Plan is notifying about
31,000 patients of a potential breach to their personal data, caused
by a phishing attack on a business associate.

According to officials, several employees of LCP Transportation, an
MHS vendor, responded to phishing emails around July 30, which gave a
hacker remote access to these accounts for more than a month. LCP
Transportation disabled the impacted accounts on September 7.

The vendor launched an investigation in partnership with a third-party
forensics firm. Officials said they found the emails contained patient
data, which included names, insurance ID numbers, addresses, dates of
birth, dates of service, and medical conditions.

LCP Transportation notified MHS about the breach on October 29. MHS
then launched its own investigation. Notifications went out on
December 20, and all patients are being offered a year of free credit
monitoring.

“We have tested the email process with them to ensure it is working
correctly,” MHS said in a statement. “Our vendor is making
improvements to their system security and conducting employee training
about cyber risks.”

The same day MHS notified patients of the third-party vendor hack,
officials announced a second breach caused by a mailing error. On
October 16, protected health information was unintentionally disclosed
when a letter about a pharmacy change was incorrectly mailed to the
wrong member.

Officials learned of the event on October 25. The information
contained the names, insurance IDs, and medication information of
about 576 plan members.

According to the notice, MHS is calling patients to retrieve all of
the letters mailed to the wrong recipients. Officials are also
reinforcing mailing policies and procedures around patient data and
reviewing the process around sending mailing addresses to its national
mailing center.

MHS joins two other organizations that reported multiple breaches in
December. Blue Cross Blue Shield of Michigan reported a laptop theft
and a ransomware attack on its service provider, Wolverine Solutions.

Meanwhile. Humana reported three breaches last month: a breach on its
business associate, a theft, and a phishing attack on Family
Physician’s Group, owned by Humana.

More information about the BreachExchange mailing list