16,000 Individuals Impacted by Two Email-Related Breaches

Two email-related data breaches have been reported that have resulted in the disclosure of the protected health information of more than 16,000 individuals.

Flexible Benefit Service Corporation Breach Impacts 5,123 Individuals

Flexible Benefit Service Corporation (Flex), a Chicago-Il-based general agency and benefit administrator serving health insurance carriers, has announced the discovery of a phishing attack that resulted in an unauthorized individual gaining access to a corporate email account.

The security breach was detected on December 6, 2017 when an email account of a company employee was discovered to be sending phishing emails. The email account was compromised after a single employee responded to a phishing email and disclosed login credentials to the email account.

A third-party forensics firm was contracted to conduct an investigation into the breach and ascertain the extent of the attacker’s activities. The investigation highlighted the likely intentions of the attacker. Once access to the email account was gained, the attacker performed searches looking for details of invoices, wire transfers and wire payments.

This strongly suggests the aim of the attack was to use the account in a BEC attack rather than gain access to protected health information. The forensics firm could not confirm whether individual emails had been opened or if protected health information was viewed. Were that to be the case, the attacker could potentially have viewed information such as names, addresses, phone numbers, Social Security numbers, and birth dates.

Individuals impacted by the incident have been offered identity theft protection, recovery, and credit monitoring services for 12 months without charge. Flex has responded by enhancing its internal security awareness and anti-phishing training program for employees.

Kansas Department for Aging and Disability Services Experiences 11,000-Record Breach

The Kansas Department for Aging and Disability Services (KDADS) has discovered an employee sent an unauthorized email to a group of KDADS business associates containing the protected health information of approximately 11,000 consumers.

All of the email recipients have already signed a business associate agreement with KDADS which prohibits them from disclosures or inappropriate use of any emailed protected health information.

KDADs has contacted all the business associates who received the information to advise them of the error and request they delete or destroy the email and any printed copies of the information. No reports have been received to suggest the information has been spread any further nor that any of the information has been misused.

The types of information in the attached document included names, dates of birth, addresses, Social Security numbers, genders, Medicaid identification numbers, and in-home services program participation information.

The incident has prompted KDADS to revise its policies and procedures to prevent similar incidents from occurring in the future. The employee responsible for the error has been terminated.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.