The first incident involved a phishing attack at LCP Transportation, a company that Managed Health Services contacts with. LCP employees received scam emails in July 2018 that allowed the attacker to remotely access their email accounts in September.
An investigation into the incident determined no PHI had been misused, but several emails in the compromised accounts stored plan members’ personal information including names, addresses, dates of birth, dates of service, insurance identification numbers and descriptions of medical conditions. Roughly 31,300 individuals were affected in the incident, HIPAA Journal reports.
The second incident involved a mailing error in which plan members were sent a notification letter about an upcoming pharmacy change. The letters, however, were sent to the wrong recipients and exposed 576 plan members’ names, insurance identification numbers and medication information.
Out of an abundance of caution, Managed Health Services has offered individuals affected in both incidents 12 months of free credit monitoring services. The organization has also enhanced its email security and re-trained staff on mailing processes as well as cybersecurity risks.
More articles on cybersecurity:
Athenahealth faces shareholder lawsuit over its $5.7B merger
Top 20 digital health companies by funding
7 digital health ‘unicorns’ valued at $1B+
