- Centerstone Insurance and Financial Services, operating as BenefitMall, is notifying 111,589 consumers that their personal data was potentially breached during a months-long phishing attack.
On October 11, officials discovered a hacker gained accessed to several employee email accounts through phishing attacks.
A third-party forensics team was hired to assist with the investigation, which determined the initial hack began in June 2018, with the breach extending to additional email accounts throughout the 4-month period.
Upon discovery, officials promptly secured the compromised accounts to prevent further remote access by the hacker. The investigation found the compromised plan member data included names, Social Security numbers, bank account numbers, insurance premium payment information, dates of birth, and addresses.
BenefitMall has since reviewed its email security controls to better protect against phishing attacks, along with two-factor authentication. Employees have also received further training around phishing awareness, which will be repeated on an ongoing basis.
Law enforcement was notified, and officials said they’ll continue to investigate the breach. Notifications were sent on January 4. But officials did not explain the delay in reporting from the October 11 discovery. Under HIPAA, healthcare organizations are required to report breaches within 60 days of discovering the incident.
The BenefitMall breach follows a growing trend of healthcare provider breaches caused by phishing and that go undetected for an extended period of time. Most recently, Choice Rehabilitation Center notified about 4,300 patients of a months-long hack caused by a phishing attack on an employee email account.
The best way to detect unauthorized access is through access management and network monitoring. Other security leaders have recommended taking away risky decisions from email users within the organization. As threats continue to improve in sophistication, shoring up user authentication issues will be critical to the healthcare sector.