HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Health Plan Member Portals Accessed Using Stolen Credentials

The Philadelphia-based health plan, Independence Blue Cross, and AmeriHealth HMO, Inc. and AmeriHealth Insurance Company of New Jersey have discovered unauthorized individuals gained access to pages in their member portals between March 17, 2020 and April 30, 2020 and potentially viewed the personal and protected health information of some of their members.

The types of information exposed included names, member identification numbers, plan type, spending account balances, user reward summaries, and claims information.

An investigation into the breach revealed valid credentials had been used to access the portal. In all cases, the passwords used to access to the member portals had been obtained as a result of breaches of third-party websites and applications, such as the breach of MyFitnessPal in 2018. The passwords for those third-party websites had been reused on member portals.

The health plans were informed of the breach on May 8, 2020 and immediately took steps to secure the accounts and prevent further unauthorized access. All affected members have now been notified and have been offered 24 months of free credit monitoring and identity theft protection services.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

49,500 Providence Health Plan Members Affected by Business Associate Data Breach

49,511 members of the Oregon-based Providence Health Plan have been affected by a data breach at one of its business associates.

On April 17, 2020, Brooklyn-based Zipari alerted Providence Health Plan about a coding error that allowed documents related to employer-sponsored health plans to be exposed online. The coding error was detected by Zipari on April 9, 2020. The investigation revealed the documents had been accessed by unauthorized individuals in May, September, and November 2019. The documents contained member names, employer names, and dates of birth. No other information was compromised.

The breach prompted Providence Health Plan to arrange a third-party audit of Zipari’s data security practices. Affected plan members have been offered complimentary credit monitoring services.

Central California Alliance for Health Discovers ‘Many’ Email Accounts Breached

On May 7, 2020, Central California Alliance for Health (CCAH) discovered an unauthorized individual gained access to the email accounts of some of its employees and potentially viewed and obtained the protected health information of some of its members. According to the breach notice submitted to the California Attorney General’s office, many CCAH email accounts were subjected to unauthorized access for about one hour.

A review of the compromised email accounts revealed they contained names, dates of birth, demographic information, Medi-Cal ID numbers, Alliance Care Management Program records, claims information, medical information, and referral information.

A full password reset was performed on all CCAH email accounts and further training has been provided to the workforce on email security. CCAH is unaware of any misuse of members information.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.