The healthcare sector continues to be the target of cyberattacks, with Managed Health Services (MHS) of Indiana Health Plan announcing recently that a third-party data breach potentially exposed up to 31,000 patients’ personal data in one of two security incidents the company has disclosed in the past month.
The organization reportedly manages Indiana’s Hoosier Healthwise and Hoosier Care Connect Medicaid programs. “MHS learned from its vendor, LCP Transportation, that unauthorized persons had gained access to some of their employees’ email accounts. This access took place sometime between July 30 and September 7, 2018,” the news release stated.
On October 29, 2018, MHS launched an investigation after learning that protected health information, including names, insurance ID numbers, addresses, dates of birth, dates of service and descriptions of medication conditions, was possibly disclosed.
“The incident was caused by a phishing attack on the vendor’s systems. The vendor immediately took steps to secure the email accounts and began an investigation, including hiring a computer forensic firm to assist. The investigation concluded that some of your information may have been in the email accounts and that could be accessed. There is no evidence that your information has been misused.”
“Phishing attacks are a favorite for malicious adversaries as one of the most successful methods for stealing and exposing data. LCP Transportation, a third-party vendor of Managed Health Services, recently felt the impact of how a phishing attack targeted at their employees can trickle down the chain – ultimately breaching roughly 31,000 patient records held by their business associate,” said Fred Kneip, CEO, CyberGRX.
“To combat this, healthcare providers require a cyber solution that moves beyond previous, static approaches to third-party cyber-risk management that is unable to scale with their growing ecosystems.”
According to Becker’s Hospital Review, this is the fourth data breach impacting health plans disclosed in the past month. Yet another example of the ways in which individuals and their personal data are at the mercy of insecure organizations, the MHS incident follows a reported data breach at Humana and two separate security incident announcements at BCBS of Michigan.