Mar 062018

Illinois-headquartered Flexible Benefit Service Corporation (“Flex”) is a general agency and benefit administrator serving insurance brokers, employers and insurance carriers. As such, they are a Business Associate to HIPAA-covered entities. The follow is from their notification of a security incident that was reported to HHS on February 16, as impacting 5,123 people. Flex does not indicate who the covered entity/health plan was or if members of more than one health plan were affected:

In connection with providing this service, we receive certain personal and protected health information. On December 6, 2017, we learned of phishing emails being sent from a Flex employee’s email account. We took immediate action by immediately changing the employee’s email account credentials and launching an investigation to determine what happened. Third party forensic experts were retained to assist with the investigation. We have determined the Flex employee was the victim of a phishing attack that resulted in their email account credentials being used by unknown individual(s) to gain unauthorized access to the employee’s email account. The investigation shows that the unknown individual(s) searched the email account for emails or attachments containing terms such as “wire transfer,” “wire payment,” and “invoice”. This type of information would not generally be in this employee’s email account. While the only unauthorized activity observed in the account were these searches, we cannot rule out the possibility of the individual(s) gaining access to any specific email or attachment in the account.

What Information Was Involved? Individuals who may have had their information improperly accessed are being sent personalized letters outlining what specific personal data may have been impacted. The personal data that may have been exposed varied, but included data types such as name, address, phone number, Social Security number, and date of birth. We confirmed this issue was contained to a single Flex employee’s email account and did not affect the rest of Flex’s systems.

What We Are Doing. In addition to taking the steps detailed above, Flex is providing those potentially affected with information on how to protect against identity theft and fraud, as well as access to free credit monitoring and identity theft recovery services through ID Experts. Flex is committed to enhancing its ongoing employee training designed to help them identify and properly report potential email phishing scams. Finally, we are providing notice of this event to consumer reporting agencies, state and federal regulators as required.

For More Information. If you have questions that are not answered in this notice, please contact our dedicated assistance hotline at 1-800-547-2519, Monday through Friday from 8:00 a.m. to 8:00 p.m. Eastern Standard Time.

Additional Resources:

[Frequently Asked Questions]
[Steps You Can Take To Protect Against Fraud and Identity Theft]
[Register for Identity Protection Services]

Feb 252018

Blake Deshazo reports:

Personal and financial information of current and former employees of Wallace Community College Selma has been accidentally leaked through a phishing scam, according to an attorney representing the school.

Alex Walker, an attorney with Mullen Coughlin, a law firm that specializes in cybersecurity and data privacy, said on Feb. 5 an employee with the college released W-2 forms after receiving an email posing as someone with the college requesting the information.

Read more on Selma Times-Journal.

Feb 232018

Herald Tribune reports:

On Tuesday, School District of Manatee County officials will ask the school board to approve a $300,000 settlement to a class action lawsuit being brought by school district employees who say they suffered damages from a massive data breach last January.

On Jan. 26, 2017 a payroll employee responded to an email phishing scam and released the W2 tax information of the district’s entire 7,700-employee workforce.

Read more on Herald Tribune.

h/t @K12CyberMap

Feb 222018

Meghan Bogardus Cortez reports:

University end users are pretty good at identifying a scam.

Only 10 percent of simulated phishing emails sent to users at education institutions were successful, a new study from Wombat Security Technologies reports. The company monitored tens of millions of simulated phishing attacks sent over the course of a year through its Security Education Platform across more than 15 industries.

The State of the Phish 2018 report found that users in education were less likely to click on a phishing attempt than those in technology, entertainment, hospitality, government, consumer goods, retail and telecommunications.

Read more on EdTech Magazine.