Credential Stuffing Attack Exposed United HealthCare Member Data
United HealthCare (UHC) has started notifying certain members that some of their protected health information may have been disclosed to unauthorized individuals as a result of credential stuffing attacks on the UHC mobile application. Credential stuffing is a type of attack where username and password combinations obtained in a breach at one platform are used to access accounts on an unrelated platform. These attacks can only succeed if usernames and passwords have been reused on multiple platforms.
The accounts subjected to unauthorized access included information such as names, birthdates, addresses, health insurance member ID numbers, service dates, provider names, claim details, and group names and numbers. No Social Security numbers, financial information, or driver’s license numbers were exposed.
The attacks occurred between February 19 and February 25, 2023. UHC took its portal offline immediately when the attacks were detected to prevent further unauthorized access and a password reset was performed. The investigation found no evidence to suggest the credentials had been obtained in a cyberattack on UHC systems. Affected individuals have been offered complimentary credit protection services for 2 years.
United Healthcare Services, Inc. Single Affiliated Covered Entity has reported four data breaches to the HHS’ Office for Civil Rights so far this year. Two breaches were reported on May 5 – a hacking incident affecting 26,561 individuals and an unauthorized access and disclosure incident affecting 1,971 individuals. On May 12, 2023, an unauthorized access and disclosure incident was reported that affected 1,116 individuals, and on July 28, a hacking incident was reported that has affected up to 398,319 individuals.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Ethan Health Reports Email Account Breach
Ethan Health, a Richmond, KY-based medical laboratory, has recently confirmed that the protected health information of 4,047 individuals was contained in employee email accounts that were accessed by unauthorized individuals. Suspicious activity was detected within its email environment on August 31, 2022. The forensic investigation confirmed the accounts were accessed between May 5, 2022, and September 8, 2022. It took 7 months to investigate and complete the review of the contents of the accounts. That process was completed on March 9, 2023.
The information in the accounts varied from individual to individual and may have included names, dates of birth, driver’s license numbers, financial account information, credit or debit card information, medical information, and health insurance information. Affected individuals have been offered complimentary credit monitoring services for 24 months. Additional security measures have been implemented to prevent similar incidents in the future.
McLaren Greater Lansing Hospital Left Records ‘Unprotected’ in Decommissioned Hospital
McLaren Greater Lansing Hospital in Michigan has been accused of leaving boxes of confidential medical records in a decommissioned hospital, where the records could potentially be accessed by unauthorized individuals. The records were discovered by an individual who attended a preview of the campus on April 19, 2023, ahead of an auction. The man who found the records said the files included sensitive information such as names, addresses, phone numbers, and medical information. It is currently unclear how many individuals have had their data exposed.
McLaren Greater Lansing Hospital said the records were destined to be securely destroyed and were accessed before that process could take place. An investigation has been launched to determine how the whistleblower managed to gain access to the records and the hospital has confirmed that it is reverifying that all documents awaiting destruction are locked away to prevent unauthorized access.
