On or about October 12, Health Plan of San Joaquin (HPSJ) learned of unusual activity affecting its email system. On October 23, 2020, the investigation determined that an unknown person(s) had accessed a number of HPSJ employee email accounts between September 26, 2020 and October 12, 2020.
Yesterday, HPSJ sent out notifications and notified the Maine Attorney General’s Office of the incident, reporting that “the information that could have been subject to unauthorized access includes name, address, and Social Security number.” Their notification did not indicate what else it included or whether all those being notified were health plan members or also included any employees or dependents. DataBreaches.net has sent an email inquiry to HPSJ requesting clarification on how many people had ePHI potentially accessed or viewed and will update this post if a response is received.
Although the health plan says they do not know for sure what was possibly accessed or viewed, those being notified were offered 12 months of credit monitoring with Equifax.
All told, 420,433 have been sent notifications of this incident, which has not (yet) shown up on HHS’s public breach tool. The notification to regulators does not indicate how many employee email accounts were compromised, and whether they were all compromised by phishing or some other method.
DataBreaches.net sent an inquiry to HPSJ asking whether the 420k were all members, or if some of the data was employee data. If a reply is received, this post will be updated.
Updated May 21: A notice on their web site provides additional details about the data types contained in the email accounts;
member name, HPSJ member ID number, claim ID number, date of birth, lab results, medical ID number, prescription information, treatment information, driver’s license or other government issued ID number, financial account information, health insurance information, medical record number (MRN), username and password, prescription ID number, and Social Security number.
In response to this site’s inquiry, “Were these 420+k individuals all health plan members? Was this all ePHI under HIPAA? If not, how many had PII that were not covered by HIPAA? Thanks in advance for a prompt reply,” Sunny T. Cooper, CHC, CHPC, Chief Compliance Officer responded:
HPSJ respectfully declines to provide the requested information. Thank you.
Champions Play as One!!
Well, okay, then. I guess we’ll just wait to see what they report to HHS.