Independence Blue Cross, AmeriHealth HMO, Inc. and AmeriHealth Insurance Company of New Jersey have discovered hackers obtained access to pages in their member portals between March 17, 2020 and April 30, 2020 and may have seen the personal and protected health information of some of their account holders.
The range of data possibly accessed included names, member identification numbers, plan type, spending account balances, user reward summaries, and claims details.
A breach review showed that valid credentials had been used to log onto the portal. In all instances, the passwords used to access to the member portals had been obtained due to breaches of third-party websites and applications, such as the breach of MyFitnessPal in 2018. The passwords for those third-party websites had been reused on member portals.
The health plans were made aware of the breach on May 8, 2020 and immediately took steps to lock down the accounts and prevent additional unauthorized access. All affected members have now been notified and have been offered two years of free credit monitoring and identity theft protection services.
Elsewhere, 49,511 account holders with Oregon-based Providence Health Plan have been impacted by a data breach at one of its business associates.
On April 17, 2020, Brooklyn-based Zipari made Providence Health Plan aware of a coding error that allowed documents related to employer-sponsored health plans to be accessed online. The coding error was discovered by Zipari on April 9, 2020. The review showed that the documents had been accessed by unauthorized individuals in May, September, and November 2019. The documents included member names, employer names, and dates of birth. No other information was infiltrated.
The breach led to Providence Health Plan conducting a third-party audit of Zipari’s data security practices. Impacted plan members have been offered complimentary credit monitoring services.
Finally, on May 7, 2020, Central California Alliance for Health (CCAH) became aware of an unauthorized individual gained access to the email accounts of some of its staff and potentially viewed and obtained the protected health information of some of its members. According to the breach notice filed to the California Attorney General’s office, many CCAH email accounts were could have been accessed without proper authorization for about one hour.
A review of the impacted email accounts showed that they included names, dates of birth, demographic information, Medi-Cal ID numbers, Alliance Care Management Program records, claims information, medical information, and referral details.
A complete password reset was carried out on all CCAH email accounts and additional training has been provided to the workforce on email security.