Breached PHI of Navistar Health Plan Members Due to May 2021 Cyberattack

Navistar Inc. based in Lisle, IL has sent more notification letters to persons impacted by a security breach that was discovered on May 20, 2021.

The American truck maker straight away enforced its cybersecurity response program when a likely breach of its IT systems was discovered, and third-party cybersecurity specialists assisted with the investigation to find out the nature and extent of the security breach.

The investigators informed Navistar on May 31, 2021 that the attackers extracted some information from its systems. Furthermore, they confirmed on August 20, 2021 that the stolen data from the exfiltrated files included the protected health information (PHI) of present and past members of the Navistar Retiree Health Benefit and Life Insurance Plan and the Navistar Health Plan. It is believed that the data was stolen before the detection of the security breach on May 20.

Navistar mentioned the exfiltrated data possibly include the following: names, addresses, birth dates, and data associated with participation on the medical and insurance policies, which might have contained certain health-related data like the names of healthcare providers and prescription medications. Some individuals also had their Social Security numbers breached.

Navistar mentioned it has made several changes after the security incident, which include improving its security standards and settings, using new technologies, and performing additional training for the employees. Security controls will still be examined and kept up to date as necessary to avoid other security breaches.

The healthcare provider sent notification letters to impacted persons to advise them about the data breach at the beginning of July. More recent notification letters provide more data on the same security incident. A deeper investigation of the breach confirmed that member’s Social Security numbers were likewise compromised.

Navistar reported it is giving a 2-year free membership to credit monitoring and identity theft protection services to persons whose Social Security number was affected in the attack.

The healthcare company sent the breach report to the Maine Attorney General indicating that 63,126 persons were affected. The breach report was additionally submitted to the Department of Health and Human Services’ Office for Civil Rights stating that 49,000 plan members’ PHI was exposed.

About Christine Garcia 1299 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at