Law Enforcement Health Benefits Plan Ransomware Attack Impacts 85K

March 31, 2022 - Law Enforcement Health Benefits Inc. (LEHB) began notifying plan members of a September 2021 ransomware attack that impacted over 85,000 individuals.

Threat actors infiltrated LEHB’s network on September 14, 2021. The Pennsylvania-based benefits plan subsequently discovered that the ransomware actors had encrypted files stored on its network.

In February 2022, LEHB determined that the threat actors had exfiltrated personal information, including names, Social Security numbers, driver’s license numbers, birth dates, health insurance information, and medical information.

Despite the evidence of data exfiltration, the benefits plan said it had not received any reports of identity theft or fraud.

“LEHB takes this incident and security of personal information very seriously. Cybersecurity threats continue to evolve and as a result, LEHB has taken additional steps to secure its network and improve internal procedures to identify and remediate future threats,” the notice stated.

“LEHB continues to assess and update its internal policies and procedures in order to minimize the risk of a similar incident in the future.”

CA Health Plan Remains Down Due to “Anomalous Activity”

Partnership HealthPlan of California (PHC) replaced its traditional webpage with a notice stating that its systems are down. The health plan said it detected “anomalous activity” on its computer systems and is working with forensic specialists to restore operations.

According to VentureBeat, Hive ransomware claimed responsibility for stealing 850,000 personally identifiable information (PII) records from the health plan. Hive ransomware was responsible for multiple healthcare cyberattacks, including one on Memorial Health System in August.

The organization’s phone systems have a recorded message that says that “all of our systems are down with no expected time of repair.”

It is unclear when the downtime began. PHC also said that it would be unable to receive or process Treatment Authorization Requests (TAR) until further notice.  

PhySynergy Faces Fourth-Party Data Breach

PhySynergy, which is owned by Epix Healthcare, posted a notice about an October 2021 data breach involving its lockbox service, IBERIABANK.

IBERIABANk uses Technology Management Resources (TMR) as a third-party lockbox service to process payments. TMR detected unusual activity within a lockbox user account and later determined that a threat actor had accessed the lockbox application between October 12 and October 14.

“TMR has stated that the bytes (bits of computer data) accessed by the threat actor were in binary format only and as an encoded string (this means that the data was an encoded series of information stored in the form of ones and zeros),” Epix stated.

“Technical manipulation of the bytes would be required to convert them into images. No actual images were viewed by the threat actor during the period of unauthorized access. TMR determined that it is likely that these bytes were obtained by the threat actor based upon traffic to the IP address. TMR’s investigation has not revealed any evidence to confirm that the threat actor converted the bytes into images, although this could have been possible”

The accessed data potentially included PHI and PII belonging to PhySynergy patients, including names, health insurance information, medical record numbers, treatment information, dates of service, financial account numbers, and Social Security numbers.

In response to the incident, IBERIABANK is offering free credit monitoring and identity theft protection services.