25% off all training courses Offer ends June 26, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends June 26, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

3,193 Employees and Dependents Affected by Bodybuilding.com Data Breach

Posted By on May 7, 2019

The bodybuilding and personal fitness website Bodybuilding.com has announced it has experienced a security incident that may have resulted in the information of customers and employees being accessed by unauthorized individuals.

While the breach affecting customers was not a reportable incident under HIPAA, HIPAA does cover group health plans. As such, bodybuilding.com was required to report the breach of group members’ PHI to the Office for Civil Rights.

The breach was discovered in February 2019 when suspicious activity was detected on its network. A formal breach investigation was launched which revealed access to the network was gained as a result of an employee falling for a phishing scam.

While the data of customers and employees is not believed to have been obtained by unauthorized individuals as a result of the phishing attack, the possibility could not be ruled out.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The breach has now been resolved and its systems have been secured. A forced password reset was performed for all users of the website as a precaution. For customers, the information potentially obtained was limited to names, email addresses, addresses, phone numbers, birth dates, profile information, order histories, billing and shipping addresses, and communications with the company.

Current and former employees of the Idaho-based fitness retailer who are members of the company’s group health plan had some of their employment-related information exposed. The breach also affected enrollees’ dependents and beneficiaries. The exposed information included names, contact information, dates of birth, Social Security numbers, government ID numbers, group health plan subscriber information, claims information, and procedure codes.

The breach investigation was concluded on April 19, and all affected employees have been notified about the exposure of their PHI out of an abundance of caution. No reports of data misuse have been received to date.

The breach summary has recently appeared on the Department of Health and Human Services’ Office for Civil Rights breach portal, which indicates 3,193 current and former employees, dependents, and beneficiaries have been affected by the breach.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist