Illinois-headquartered Flexible Benefit Service Corporation (“Flex”) is a general agency and benefit administrator serving insurance brokers, employers and insurance carriers. As such, they are a Business Associate to HIPAA-covered entities. The follow is from their notification of a security incident that was reported to HHS on February 16, as impacting 5,123 people. Flex does not indicate who the covered entity/health plan was or if members of more than one health plan were affected:
In connection with providing this service, we receive certain personal and protected health information. On December 6, 2017, we learned of phishing emails being sent from a Flex employee’s email account. We took immediate action by immediately changing the employee’s email account credentials and launching an investigation to determine what happened. Third party forensic experts were retained to assist with the investigation. We have determined the Flex employee was the victim of a phishing attack that resulted in their email account credentials being used by unknown individual(s) to gain unauthorized access to the employee’s email account. The investigation shows that the unknown individual(s) searched the email account for emails or attachments containing terms such as “wire transfer,” “wire payment,” and “invoice”. This type of information would not generally be in this employee’s email account. While the only unauthorized activity observed in the account were these searches, we cannot rule out the possibility of the individual(s) gaining access to any specific email or attachment in the account.
What Information Was Involved? Individuals who may have had their information improperly accessed are being sent personalized letters outlining what specific personal data may have been impacted. The personal data that may have been exposed varied, but included data types such as name, address, phone number, Social Security number, and date of birth. We confirmed this issue was contained to a single Flex employee’s email account and did not affect the rest of Flex’s systems.
What We Are Doing. In addition to taking the steps detailed above, Flex is providing those potentially affected with information on how to protect against identity theft and fraud, as well as access to free credit monitoring and identity theft recovery services through ID Experts. Flex is committed to enhancing its ongoing employee training designed to help them identify and properly report potential email phishing scams. Finally, we are providing notice of this event to consumer reporting agencies, state and federal regulators as required.
For More Information. If you have questions that are not answered in this notice, please contact our dedicated assistance hotline at 1-800-547-2519, Monday through Friday from 8:00 a.m. to 8:00 p.m. Eastern Standard Time.