HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

$107,000 Stolen from Kentucky Employees’ Health Plan Members in Two Recent Cyberattacks

The Commonwealth of Kentucky Personnel Cabinet has announced that two data breaches occurred between late April and Early May. The attacks resulted in the exposure of the protected health information of around 1,000 members of the Kentucky Employees’ Health Plan.

The first attack occurred between April 21 and April 27 and a second occurred in mid-May. In both cases, the attackers used stolen credentials to gain access to accounts.

In the first attack, legitimate credentials were used to gain access to StayWell systems. StayWell is a third-party vendor that manages a well-being and incentive portal for health plan members.

Through the portal, plan members are empowered to take care of their health and lead healthier lifestyles. Plan members who meet their health goals by completing certain actions and challenges are rewarded with points that can be exchanged for gift cards.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The first cyberattack was detected and investigated by StayWell, the Commonwealth Office of Technology, and the Kentucky Personnel Cabinet. It was determined that while the attackers gained access to the portal, they were not able to view highly sensitive information such as Social Security numbers, dates of birth, and addresses – the types of information commonly sought by identity thieves; however, the attackers were able to biometric screening information and health assessment data. The attackers were also able to access redeem points that had been accumulated by members, which were exchanged for gift cards. The hackers fraudulently redeemed approximately $100,000 of points. 971 individuals were affected by the first breach.

StayWell implemented several security enhancements after the first attack; however, the hackers struck again and gained access to the government email accounts of 42 plan members in the second attack and used accumulated points to fraudulently obtain $7,700 in gift cards.

According to StayWell, the second data breach occurred as a direct result of the first and appears to have been due to password reuse. Certain plan members had used the same password for the portal as they did for their government email accounts, which allowed the hackers to access the email accounts.

The second breach serves as a reminder about the danger of reusing passwords on multiple accounts and platforms. Strong passwords should always be set to prevent passwords from easily being guessed, and unique strong passwords should be set on each platform or account. Password managers are useful for storing strong passwords, but it is essential that a very strong password is set as the password manager master password.

StayWell said it is working on further security enhancements and has requested all affected members set stronger, unique passwords. The Personnel Cabinet will make resources, tools, and training available to help state employees and other users of the StayWell platform improve security.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.