HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Horizon Actuarial Services Reports Data Theft and Extortion Incident

Horizon Actuarial Services, Clinic of North Texas, and Parkland Community Health Plan have recently announced breaches of the protected health information of patients and plan members.

Horizon Actuarial Services Reports Data Theft and Extortion Incident

Horizon Actuarial Services (HAS) has recently announced a security breach and the theft of the personal data of members of benefits plans to whom it provides technical and actuarial consulting services, including the Local 295 IBT Employer Group Welfare Fund and the Major League Baseball Players Benefit Plan.

HAS said it received an email on November 12, 2021, from a cyber actor who claimed to have stolen the personal data of plan members from its computer servers. Steps were immediately taken to secure its servers to prevent any further unauthorized access, and a computer forensics firm was engaged to investigate the potential security breach and determine the legitimacy of the email.

HAS confirmed that two servers had been accessed between November 10 and 11, 2021, and files containing names, dates of birth, Social Security numbers, and health plan information had been stolen. HAS said it negotiated with the cyber actors and made a payment in exchange for an agreement that the stolen data would be deleted and would not be distributed or misused.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

HAS said it notified the affected plans about the breach and offered to provide notifications. Letters started to be mailed to affected individuals on March 9, 2022. Complimentary credit monitoring and fraud and identity theft support services have been offered to affected individuals.

Some affected plans chose to self-report the breach. Horizon Actuarial Services reported the breach as affecting 38,418 individuals, and the breach was reported separately by the Major League Baseball Players Benefit Plan as affecting 13,156 individuals, and the Local 295 IBT Employer Group Welfare Fund as affecting 6,123 individuals.

HAS said it is reviewing its security policies and has implemented additional measures to protect against similar incidents in the future.

Clinic of North Texas Victim of November 2021 Cyberattack

Clinic of North Texas in Wichita Falls has recently announced it was the victim of a cyberattack on or around November 9, 2021, in which hackers gained access to patient data stored on its systems.  A third-party computer forensics firm was engaged to determine the nature and scope of the breach, and whether patient data was stolen in the attack.

The investigation revealed the attackers gained access to a folder on one of its systems that contained files that included patient names, addresses, dates of birth, and limited health information. Clinic of North Texas said it took several steps in response to the breach, including changing all administrator passwords, implementing two-factor authentication, and deploying endpoint detection, response, and threat hunting tools. Affected individuals have been offered complimentary memberships to a credit monitoring service.

The HHS’ Office for Civil Rights breach portal indicates the protected health information of 244,174 individuals was potentially compromised in the attack.

Parkland Community Health Plan Discovers Mailing Error

Parkland Community Health Plan (PCHP) in Dallas, TX, has recently discovered a mismailing incident that saw the ID cards of 1,682 of its members sent to other health plan members in error. The mailing error was discovered on January 4, 2022, with the investigation confirming the following types of information had been impermissibly disclosed: Name, PCHP ID number, provider information, and plan/copay information.

PCHP said the error was made at its print vendor, and steps have since been taken to ensure similar breaches are avoided in the future. PCHP said it is unaware of any misuse of plan member information and new ID cards have now been mailed to the correct individuals.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.