HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

PHI of Navistar Health Plan Members Compromised in May 2021 Cyberattack

Lisle, IL-based Navistar Inc. has issued further notification letters to individuals affected by a security breach that was detected on May 20, 2021.

The U.S. truck manufacturer immediately implemented its cybersecurity response plan when a potential breach of its information technology systems was detected, and third-party cybersecurity experts were engaged to assist with the investigation and determine the nature and scope of the breach.

On May 31, 2021, Navistar was informed that certain data had been extracted from its systems in the attack. The investigation into the data theft confirmed on August 20, 2021 that the exfiltrated files contained the protected health information of current and former members of Navistar Health Plan and the Navistar Retiree Health Benefit and Life Insurance Plan. That information is understood to have been stolen prior to the discovery of the security breach on May 20.

Navistar said the exfiltrated data potentially included names, addresses, dates of birth, and information related to participation on the health and insurance plans, which may have included some health-related information such as the names of providers and prescriptions. A subset of individuals also had their Social Security numbers compromised.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Navistar said it has taken several actions following the security incident, including enhancing its security protocols and controls, implementing new technology, and conducting further training for the workforce. Security controls will continue to be assessed and updated as appropriate to prevent further security breaches.

Notification letters were sent to affected individuals to alert them to the data breach in early July, with the latest notification letters providing further information on the same incident, including advising additional individuals that further investigation into the security breach showed their Social Security numbers had also been compromised.

Navistar said it is offering a 2-year complementary membership to credit monitoring and identity theft protection services to individuals who had their Social Security number compromised in the attack.

The breach was reported to the Maine Attorney General as affecting 63,126 individuals, with the breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicating the protected health information of 49,000 plan members was compromised.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.