South Country Health Alliance, a county-owned health plan based in Owatonna, Minn., has notified members that their personal information was exposed during a phishing attack on an employee email account last June.
On Sept. 14, the health plan discovered that an unauthorized party accessed an employee email account on June 25. South Country Health Alliance immediately secured the account, conducted an investigation and sought counsel from cybersecurity experts.
On Nov. 5, the health plan determined that 66,874 members' personal information was exposed in the account. Exposed information included names, Social Security numbers, addresses, Medicare and Medicaid numbers, health insurance information, diagnostic or treatment information, death dates, provider names and information about treatment costs.
The health plan said it has not become aware of any misuse of the exposed information, but it began notifying affected members about the attack Dec. 30. The notice offered information about the cybersecurity attack as well as complimentary credit monitoring and identity protection service.