PHI of Navistar Health Plan Members Compromised in May 2021 Cyberattack

Share this article on:

Lisle, IL-based Navistar Inc. has issued further notification letters to individuals affected by a security breach that was detected on May 20, 2021.

The U.S. truck manufacturer immediately implemented its cybersecurity response plan when a potential breach of its information technology systems was detected, and third-party cybersecurity experts were engaged to assist with the investigation and determine the nature and scope of the breach.

On May 31, 2021, Navistar was informed that certain data had been extracted from its systems in the attack. The investigation into the data theft confirmed on August 20, 2021 that the exfiltrated files contained the protected health information of current and former members of Navistar Health Plan and the Navistar Retiree Health Benefit and Life Insurance Plan. That information is understood to have been stolen prior to the discovery of the security breach on May 20.

Navistar said the exfiltrated data potentially included names, addresses, dates of birth, and information related to participation on the health and insurance plans, which may have included some health-related information such as the names of providers and prescriptions. A subset of individuals also had their Social Security numbers compromised.

Navistar said it has taken several actions following the security incident, including enhancing its security protocols and controls, implementing new technology, and conducting further training for the workforce. Security controls will continue to be assessed and updated as appropriate to prevent further security breaches.

Notification letters were sent to affected individuals to alert them to the data breach in early July, with the latest notification letters providing further information on the same incident, including advising additional individuals that further investigation into the security breach showed their Social Security numbers had also been compromised.

Navistar said it is offering a 2-year complementary membership to credit monitoring and identity theft protection services to individuals who had their Social Security number compromised in the attack.

The breach was reported to the Maine Attorney General as affecting 63,126 individuals, with the breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicating the protected health information of 49,000 plan members was compromised.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On