A phishing attack in December exposed personal information on about 300,000 members of Highmark insurance plans, including about 96,000 members in Pennsylvania.
- The Pittsburgh-based insurer disclosed the breach last week in a notice to the office of the Maine attorney general.
- In a statement, Highmark said it “immediately responded” to the incident and launched an investigation.
- So far, there is no evidence that the data potentially accessed by hackers has been used fraudulently, said the insurer, which is based in Pittsburgh and has a large office in Central Pennsylvania.
- “Highmark takes the security of member information seriously and has implemented a robust action plan to bolster employee training on phishing email threats to prevent future incidents of this nature,” the insurer said in its statement.
- Highmark has about 6.8 million members overall, including 3.8 million in Pennsylvania, according to spokesperson Anthony Matrisciano, who confirmed the number of Pennsylvania members affected by the breach.
What happened: Between Dec. 13 and Dec. 15, a Highmark employee received a “malicious phishing email” that led to a compromise of the employee’s email account.
- As a result, a hacker apparently gained access to files that may have contained protected health information, as well as other data, including names, treatment information, prescription information, driver’s license numbers and, in some cases, social security numbers and financial information, according to Highmark.
- Once the threat was discovered, Highmark response teams “quickly” contained the mailbox, removed the malicious email from all domain users and took additional steps to prevent and monitor the threat.
- Highmark also engaged its email vendor to step up security and hired a digital forensics firm to investigate the breach.
- The insurer has set up a dedicated call center for members with questions. Starting this Friday, members can call 800-459-4092 for assistance, according to Highmark.
The trend: The health care industry is a frequent victim of hacking and other cyber attacks — and it faces some of the highest costs from data breaches.
- According to a report by IBM, the average total cost for a data breach in health care was $10.1 million last year, up from $9.23 million in 2021.
- The average cost globally last year was $4.35 million, up from $4.24 million.
What’s next: Data breaches often lead to litigation.
- Locally, lawsuits have targeted York-based Rutter’s and Lancaster-based Fulton Financial.
- A California law firm already is seeking potential victims of the Highmark breach.