HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Network Health Phishing Attack Impacts 51,000 Plan Members

Wisconsin-based insurer Network Health has notified 51,232 of its plan members that some of their protected health information (PHI) has potentially been accessed by unauthorized individuals.

In August 2017, some Network Health employees received sophisticated phishing emails. Two of those employees responded to the scam email and divulged their login credentials to the attackers, who used the details to gain access to their email accounts.

The compromised email accounts contained a range of sensitive information including names, phone numbers, addresses, dates of birth, ID numbers, and provider information. No financial information or Social Security numbers were included in the compromised accounts, although certain individuals’ health insurance claim numbers and claim information was potentially accessed.

The breach was detected rapidly and the affected accounts were shut down to limit the harm caused. An external cybersecurity consultant was brought in to assess the extent of the attack and perform a forensic analysis to determine whether access to other parts of the network had been gained. The incident was also reported to law enforcement which is also investigating the breach.

Penny Ransom, Network Health’s Chief Administrative Officer said, “As a result of this attack, steps are underway to further improve the security of operations and prevent future incidents.”

Those measures include re-training the workforce to help employees recognize and report phishing emails. A full review of security processes and procedures is also being conducted. All individuals impacted by the attack have been offered one year of credit monitoring and identity theft protection services without charge.

Network Health was one of three healthcare organizations to report phishing attacks in September.  Morehead Memorial Hospital experienced a phishing attack that potentially resulted in the exposure of 66,000 patients’ PHI. Arkansas Oral & Facial Surgery Center also fell victim to a phishing attack that saw ransomware installed. That attack potentially impacted 128,000 individuals.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.