Gold Coast Health Plan located in Camarillo, CA told its 37,000 plan members that cyber attackers potentially accessed some of their protected health information (PHI) because one of its employees’ email account was compromised. The employee was deceived into clicking a phishing email and exposed the sign in information of his email account. The attackers had accessed the email account from June 18, 2018 to August 1, 2018. After discovering the data breach on August 8, Gold Coast Health Plan took action without delay to secure the email account and keep the hackers from further remote access.
A top notch third-party cybersecurity firm looked into the breach to examine the magnitude of the breach and determine the number of patients whose health data were exposed. Although no incident report of PHI misuse had been submitted, it was not possible to rule out data stealing or PHI access with 100% certainty. .
Gold Coast Health Plan is sure that the attackers were motivated by financial reasons. It looked like that the hackers had no intention of stealing plan member’s personal data. Their motive was to obtain the banking information of health plan members and try to make counterfeit transactions from the Gold Coast Health Plan accounts.
Based on the investigation, the affected accounts had information on the health plan members’ claims details, ID numbers, and the dates of receiving medical services. In addition, some plan members’ data like names, dates of birth, and codes of medical treatment were disclosed. The compromised data of the patients differed from one another yet many just had up to two of the data elements named above disclosed.
Even if no Social Security numbers or financial data were exposed, Gold Coast Health Plan still gave breach victims free MyIDCare subscription and identity theft protection services from ID Experts.
As a safety measure, Gold Coast Health Plan applied additional security controls to avoid the odds of similar breaches happening again. End user security training was improved giving emphasis on identifying phishing attacks, tracking of email accounts, and implementing more effective email security controls.