Accendo Insurance Company Affected by Business Associate Data Breach
Data breaches have recently been announced by Accendo Insurance Company, Menorah Life, Humboldt Independent Practice Association, and Samaritan Counseling Center of the Fox Valley.
Accendo Insurance Company
Accendo Insurance Company, a CVS Health Medicare supplement insurance provider, has been affected by a data breach at one of its business associates. Landmark Admin is a third-party administrator for insurance carriers, and in its capacity as a business associate, was provided with the personal information of individuals who purchased insurance through Accendo. On or around May 13, 2024, Landmark identified suspicious activity within its computer network. A third-party cybersecurity firm was engaged to investigate the activity and the investigation concluded on July 24, 2024. Landmark confirmed that a ransomware group had access to its network between May 13, 2024, and June 17, 2024, and exfiltrated data from its systems and encrypted files.
According to Accendo’s January 22, 2025, notice to the South Carolina Attorney General, Landmark has been issuing notifications to the affected individuals on a rolling basis and is offering complimentary credit monitoring services to the affected individuals. The information exposed and potentially stolen includes names, addresses, dates of birth, Social Security numbers, medical information, and health insurance information.
Landmark has implemented additional technical and administrative safeguards to reduce the risk of further security breaches. They include new servers, a new firewall, obtaining new IP addresses, implementing new domain controllers, changing passwords, implementing multifactor authentication for all devices, reimaging all network printers and network switches, updating all IoT devices with the latest firmware, and using BitLocker on all hard drives. Additional security awareness training has been provided to the workforce, restrictions have been placed on all points of access to servers, and a managed service provider has been engaged to provide additional monitoring and protection software. The full extent of the breach is currently unclear; however, Accendo informed the South Carolina Attorney General on February 5, 2025, that 16,090 South Carolina residents have been affected.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Menorah Life
Menorah Life, a St. Petersburg, FL-based nonprofit assisted living, skilled nursing, and rehabilitation care provider serving the Jewish community, has confirmed that the protected health information of 2,800 patients was potentially compromised in a security incident at one of its third-party vendors. Menorah Life was notified on September 19, 2024, by the cloud-based healthcare software provider, PointClickCare, about a security breach that occurred on July 20, 2024. An unauthorized third party used compromised end-user credentials to access accounts, including one Menorah Life account.
The account was accessed between July 27, 2024, and July 22, 2024, and information in the account may have been viewed or acquired. The file review confirmed that the following information had been exposed: names, Social Security numbers, Medicaid/ Medicare IDs, treatment, prescription, and diagnosis information, admission/discharge dates, and health insurance policy numbers. Individual notification letters were mailed on January 29, 2025. Menorah Life has offered the affected individuals complimentary credit monitoring and identity theft protection services.
Humboldt Independent Practice Association
Humboldt Independent Practice Association, a California company that administers health plans and healthcare services on behalf of providers, was targeted in a phishing campaign. The phishing emails appeared to be legitimate communications from one of its providers and tricked one employee into divulging their account credentials. The forensic investigation confirmed unauthorized access to a single email account between June 26, 2024, and July 1, 2024. The account was reviewed and determined to contain first and last names in combination with one or more of the following: mailing address, emergency contact information, email, telephone number, date of birth, driver’s license, medical diagnosis/condition, and health insurance information. Individuals who had their Social Security numbers exposed have been offered complimentary single-bureau credit monitoring services for 12 months. The breach was reported to the HHS’ Office for Civil Rights on November 11, 2024, as involving the protected health information of 500 individuals.
Samaritan Counseling Center of the Fox Valley
Samaritan Counseling Center of the Fox Valley, a mental health service provider in Menasha, Wisconsin, identified suspicious activity in an employee’s account on November 18, 2024. The account was immediately secured and third-party forensics specialists were engaged to investigate the activity. The investigation revealed multiple email accounts had been compromised. The review of those accounts was completed on December 19, 2024, and confirmed that they contained the protected health information of 956 patients. Information potentially accessed and copied included names, addresses, dates of birth, Social Security numbers, driver’s license numbers, health insurance information, and medical information. Notification letters have been mailed to the affected individuals and policies, procedures, and processes have been reviewed to determine where additional safeguards can be implemented.
