According to a recent class action lawsuit, Highmark Health, the second largest integrated delivery and financing system in the US, suffered an email phishing attack that impacted 300,000 individuals who are now at risk of identity theft.
Hackers Gained Access To Data Using A Phishing Email
Highmark announced that an unauthorized individual was able to access the email account of one of its employees following a response to a phishing email. After the employee clicked the link in the email and disclosed their credentials, the account was accessed remotely by an unauthorized third party who potentially viewed and exfiltrated emails and attachments from the account.
The unauthorized account activity was detected by Highmark Health on December 15, 2022, with the initial compromise occurring on December 13, 2022. A review of the emails and attachments revealed they contained the protected health information of health plan members, such as group name, identification numbers, claim numbers, dates of service, procedures, prescription information, addresses, phone numbers, email addresses, and financial information. The Social Security numbers of a subset of individuals were also exposed.
When the breach was detected, the affected mailbox was immediately deactivated, network blocking was implemented, and passwords were reset. Email security controls have also been enhanced and further training has been provided to employees on how to identify phishing attempts and other cyber threats.
Highmark Offering Two Years Of Complimentary Credit Monitoring
While no evidence of misuse of the affected data has been identified, affected individuals are being offered complimentary credit monitoring and identity theft protection services for a period of two years, irrespective of whether their Social Security numbers were involved.
Notification letters for those affected by the breach are being mailed on February 13, 2023. Two letters will be sent. One to advise those whose Social Security Number appeared in the breach and another to advise those that their SSN wasn’t included in the breach.
Concern About Two Years Of Credit Monitoring Is Enough?
Victims of identity theft often don’t realize their identity is compromised until years after an attack. The reason being perpetrators of such attacks expect victims to immediately seek protection against misuse of their identities and are aware standard industry practices limits such protection to two years.
Case Status: Open – Not Accepting New Clients