Email Account Breaches Reported by MultiPlan and Hawaii Independent Physicians Association

The medical payment billing service provider MultiPlan has announced a breach of its email environment. On January 27, 2021, suspicious activity was identified in the email account of one of its employees. Action was immediately taken to terminate unauthorized access and the employee’s email credentials were changed.

MultiPlan immediately launched an investigation to determine the nature and scope of the breach, with assistance provided by forensics experts. The investigation confirmed that the main purpose of the attack was to divert wire transfers from MultiPlan customers looking to pay invoices. The email account was compromised and used by the attacker to communicate with those customers regarding billing, and to attempt to divert payments to an account under their control.

While protected health information does not appear to have been targeted in the attack, the compromised email account was found to contain the protected health information of 214,956 individuals. That information could have been viewed or obtained by the attacker between December 23, 2020 and January 27, 2021.

The types of information in the account included full names, addresses, email addresses, dates of birth, healthcare provider names, medical record numbers, date/cost of healthcare services, claims identifiers, health insurance ID numbers, member IDs, group IDs, and Social Security numbers.

MultiPlan has notified all affected individuals and will be covering the cost of two years of credit monitoring. Additional protocols and processes have now been implemented to prevent further email breaches in the future.

Hawaii Independent Physicians Association Reports Email Account Breach

Hawaii Independent Physicians Association (HIPA) is notifying 18,770 patients about a security incident involving the email account of a subcontractor.

On February 4, 2021, HIPA determined an unauthorized individual had accessed the email account. External access to the account was immediately blocked and all HIPA users were required to change their login credentials for their system and email accounts and as a precaution. Assisted by a third-party cybersecurity firm, HIPA determined the breach was limited to a single email account which contained the protected health information of patients of its physicians.

The types of information in the compromised account included full names, dates of birth, home addresses, and information about the general health condition of patients. No evidence of unauthorized data access was found, but the possibility that PHI was viewed or obtained could not be ruled out.

The cybersecurity firm investigating the breach made recommendations to improve email security and HIPA is in the process of implementing the suggested changes.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.