Security Breaches Reported by Benefit Plan Administrators and The People Concern

Roanoke, VA-based Benefit Plan Administrators Inc., has recently notified 3,775 individuals that an unauthorized individual gained access to its network and removed files that contained some of their protected health information. It is unclear from the breach notification letters when the incident occurred, but the forensic investigation concluded on March 15, 2022, and the notification letters were sent to affected individuals on or around June 15.

Benefit Plan Administrators said the following types of information were in the files that were removed from its systems: full names, addresses, dates of birth, Social Security numbers, gender classification, claims information, medications information, and medical diagnosis/conditions information. The breach was reported to the HHS’ Office for Civil Rights as four separate incidents. Employees of Alpha Natural Resources Non-Union VEBA Trust and Williamson Employment Services, Inc. are known to have been affected.

No evidence was found to indicate any of the removed information has been misused. Complimentary credit monitoring services have been provided to affected individuals. Benefit Plan Administrators said additional safeguards have been implemented by the IT department to prevent similar incidents in the future.

The People Concern Reports Breach of Employee Email Accounts

The People Concern, a Los Angeles, CA-based homeless service, has discovered the email accounts of some of its employees have been accessed by an unauthorized third party. The accounts contained the sensitive information of community members such as date of birth, Social Security number, health insurance information, and medical information regarding care received through its programs.

Please see the HIPAA Journal Privacy Policy

The security breach was detected when suspicious activity was observed in the email accounts, with the investigation revealing they had been accessed by unauthorized individuals at various times between April 6, 2021, and December 9, 2021

In response to the breach, email security measures have been enhanced and affected individuals have been offered complimentary memberships to an identity theft protection and resolution service for one year. It is currently unclear how many individuals have been affected.

Advocates Inc. Discovers Further Individuals Affected by 2021 Data Breach

In January 2022, Framingham, MA-based Advocates Inc. started notifying individuals affected by a cyberattack that saw its network compromised between September 14, 2021, and September 18, 2021. The incident was initially thought to have affected 68,236 individuals, but the investigation later confirmed that additional individuals had been affected. The review of the impacted files continued until June 9, 2022, and additional notifications were mailed to affected individuals on June 28, 2022. Details of the breach can be found in this post. It is currently unclear how many additional individuals have been affected.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.