Cyberattacker steals $107K in gift cards from Kentucky state health plan member incentive portal 

The Commonwealth of Kentucky Personnel Cabinet on June 2 announced that its state health plan suffered two cyberattacks in April and May, exposing the health information of 971 members and resulting in fraudulent gift card redemption of more than $107,000, according to the Lexington Herald Leader

During the first attack, from April 21-27, a "bad actor" used valid login information to access the Kentucky Employees' Health Plan's well-being and incentive portal, which is powered by third-party vendor StayWell. The portal encourages members to live a healthier lifestyle by offering financial rewards for completing certain health challenges and goals. 

An investigation by the Commonwealth Office of Technology, the Personnel Cabinet and the StayWell IT team revealed that the attacker was unable to access financial and personal information on the portal, such as Social Security numbers, birthdays and addresses. However, they were able to access health assessment data and biometric screening as well as redeem points that members had accumulated on the platform in the form of gift cards, resulting in fraudulent redemption of $100,000 in gift cards. 

StayWell took the site down after the first attack to implement new security enhancements, but it was breached again from May 12-22 as a direct result of the first breach. Staywell said that about 42 of the original 971 affected members also had their government email accounts hacked in the second attack, which resulted in another $7,700 in fraudulent gift card redemptions. 

StayWell informed the affected members of the incident and requested they use stronger passwords and not recycle them across different programs and websites. The company said it is also working to add several new security measures for their users, according to the report. 

More articles on cybersecurity: 
Lawsuit alleges health system maintained PHI 'in a reckless manner' ahead of breach
Kaiser terminates employee that inappropriately accessed 2,756 patients' records over 8 years
Saint Joseph Health, 6 more Indiana providers report improper disposal of patient records

© Copyright ASC COMMUNICATIONS 2020. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.