HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Data Breaches Reported by True Health New Mexico & Educators Mutual Insurance Association

The Albuquerque, NM-based health insurance agency True Health New Mexico has started notifying certain health plan members about the exposure and potential theft of some of their protected health information.

A data security incident was detected on October 5, 2021, and steps were immediately taken to secure its IT systems. The internal incident response team launched an investigation and third-party cybersecurity defense firms were engaged to assist with the forensic investigation.

The investigation revealed an unauthorized individual had gained access to its IT systems in early October and may have viewed or exfiltrated files that contained protected health information such as names, dates of birth, ages, home addresses, email addresses, insurance information, medical information, Social Security numbers, health account member IDs, provider information, and date(s) of service.

True Health New Mexico said at the time of issuing notification letters, no evidence had been found of misuse of members’ information; however, as a precaution against identity theft and fraud, affected individuals have been offered credit monitoring and identify theft protection services at no cost.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The cyberattack has been reported to law enforcement and a criminal investigation has been launched. The data breach has been reported to the HHS’ Office for Civil Rights as affecting 62,983 individuals.

Educators Mutual Insurance Association

Murray, UT-based Educators Mutual Insurance Association (EMIA) has discovered an unauthorized individual had access to its computer network between July 29, 2021, and August 10, 2021, and may have viewed or obtained the protected health information of some of its members.

The breach was detected by EMIA on August 23, 2021, with the subsequent investigation confirming malware had been installed on its network. A review of the files on the parts of the compromised system revealed they contained protected health information such as names, addresses, dates of birth, clinical information, health insurance identification numbers, driver’s license numbers, and Social Security numbers. Full financial numbers of members are not believed to have been exposed.

A third-party cybersecurity firm has been engaged to conduct a forensic investigation, which is still ongoing. While no evidence of attempted or actual misuse of patient data has been found, affected individuals have been advised to remain vigilant against instances of identity theft.

EMIA says it will continue to regularly audit its system to identify unauthorized network activity and will be enhancing its network monitoring tools.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.