Heads up: Highmark Health will be notifying 300,000 patients of a phishing incident. Watch for your mail this month.
Highmark Health defines itself as a “national, blended health organization” that includes the Highmark Health Plan (a Blue Cross Blue Shield insurer); a regional hospital and physician network; and companies that offer dental solutions, reinsurance solutions, population health management, and technology solutions.
Letters have not gone out yet and will not be going out in the mail until February 13, but Highmark Health will be notifying 300,000 patients of a data security breach that occurred on December 13, 2022, after an employee clicked on a link that they should not have clicked on. The breach was discovered on December 15, 2022.
According to Highmark’s notification letter, seen by DataBreaches, the emails in the employee’s compromised email account may have included various protected health information elements: name, social security number, and enrollment information such as the individual’s group name, identification number, claims or treatment information such as claim numbers, dates of service, procedures, and prescription information. as well as in some cases, financial information, address, phone number, and email address.
Not all individuals had all elements and there are two forms of the letter going out: one to those whose social security number was involved, and one to those who did not have their social security number involved.
In either case, those being notified will read, “While, at this time, we have no evidence that your information was misused, our risk assessment on this incident concluded that notice to you is appropriate. To help protect your identity, we are offering complimentary access to Experian IdentityWorksSM for 24 months at no cost to you.”1
The notification letters, copies of which were provided to the Maine Attorney General’s Office, do not explain why the employee had so many emails in their account that 300,000 people have to be notified.
In response to the incident, Justine Patrick, Chief Privacy and Data Ethics Officer for Highmark Health writes:
Consistent with corporate policies and procedures, Highmark has taken internal actions to safeguard your protected health information. The mailbox was immediately shut down, network blocking was implemented, passwords were reset, and the enterprise will continue to enhance email security controls. Additional training and education has been provided to employees in regard to the Cyber Security Incident to make them aware and help prevent future Cyber/Phishing attempts in the future.
1 Comment: Their wording calling notice “appropriate” may confuse some people into believing that notice in this case was optional. “No evidence of misuse” is not proof that there is no risk, and notice appears to be required under HIPAA for this incident.
Update: Their statement of February 10, sent to DataBreaches by a reader.