Share this article on:
The bodybuilding and personal fitness website Bodybuilding.com has announced it has experienced a security incident that may have resulted in the information of customers and employees being accessed by unauthorized individuals.
While the breach affecting customers was not a reportable incident under HIPAA, HIPAA does cover group health plans. As such, bodybuilding.com was required to report the breach of group members’ PHI to the Office for Civil Rights.
The breach was discovered in February 2019 when suspicious activity was detected on its network. A formal breach investigation was launched which revealed access to the network was gained as a result of an employee falling for a phishing scam.
While the data of customers and employees is not believed to have been obtained by unauthorized individuals as a result of the phishing attack, the possibility could not be ruled out.
The breach has now been resolved and its systems have been secured. A forced password reset was performed for all users of the website as a precaution. For customers, the information potentially obtained was limited to names, email addresses, addresses, phone numbers, birth dates, profile information, order histories, billing and shipping addresses, and communications with the company.
Current and former employees of the Idaho-based fitness retailer who are members of the company’s group health plan had some of their employment-related information exposed. The breach also affected enrollees’ dependents and beneficiaries. The exposed information included names, contact information, dates of birth, Social Security numbers, government ID numbers, group health plan subscriber information, claims information, and procedure codes.
The breach investigation was concluded on April 19, and all affected employees have been notified about the exposure of their PHI out of an abundance of caution. No reports of data misuse have been received to date.
The breach summary has recently appeared on the Department of Health and Human Services’ Office for Civil Rights breach portal, which indicates 3,193 current and former employees, dependents, and beneficiaries have been affected by the breach.