BenefitMall Phishing Attack Impacts 111,589 Plan Members

A recently discovered BenefitMall phishing attack has resulted in the exposure of 111,589 plan members’ protected health information.  

BenefitMall, a division of Centerstone Insurance and Financial Services, discovered on October 11, 2018, that hackers had gained access to several employee email accounts as a result of their responses to phishing emails.

Third party computer forensics experts were called in to assist with the investigation and determine the scope and extent of the breach.  The investigation into the breach revealed those email accounts had been compromised over a period of 4 months, with the first account compromised in June 2018.

Prompt action was taken to secure the breached email accounts and prevent further unauthorized access; however, during the time that the email accounts were accessible it is possible that emails in the accounts may have been viewed or downloaded by the attackers.

An analysis of the emails in the breached accounts revealed they contained a range of protected health information including plan members’ names, addresses, Social Security numbers, bank account numbers, insurance premium information, and dates of birth.

Law enforcement has been notified about the breach and letters have been sent to all plan members whose PHI was exposed. Those letters were sent on January 4, 2019, almost 7 months after the first email account was compromised and almost three months after the breach was detected. It is unclear why the notifications to plan members were delayed. Under HIPAA, notifications must be issued within 60 days of the discovery of the breach, although notifications can be delayed at the request of law enforcement.

BenefitMall has completed a review of its email security controls and has made enhancements to protect against further phishing attacks, including the implementation of 2-factor authentication. Staff have also received further training to improve phishing awareness. BenefitMall says further phishing awareness training will be provided to staff on an ongoing basis.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of