The website owner of Bodybuilding.com, a website about bodybuilding and fitness, reported a security breach that could have caused the access of client and personnel data by unauthorized persons.
Under HIPAA, this kind of breach impacting clients isn’t a reportable occurrence. However, group health plans are covered under HIPAA. So, bodybuilding.com needed to report the PHI exposure of group members to the Office for Civil Rights.
Bodybuilding.com noticed the breach in February 2019 due to suspicious actions observed on its system. An official investigation of the breach was started which confirmed that its system was accessed because of an employee who was tricked by a phishing scam.
Though it is thought that the information of its clients and employees were not accessed by unauthorized persons consequent to the phishing attack, its likelihood can not be completely ruled out.
Bodybuilding.com by now fixed the breach and properly secured its networks. All site users’ passwords were put through to a forced reset as a safety measure. For clients, the data likely accessed included names, addresses, email addresses, contact numbers, dates of birth, profile data, purchase details, billing and shipping details, and messages with the business.
Present and previous personnel of the Idaho fitness merchant who are Bodybuilding.com’s group health plan members had their employment-associated data compromised. The breach equally impacted enrollees’ beneficiaries and dependents. The compromised information included names, phone details, birth dates, Government ID numbers, Social Security numbers, group health plan subscriber details, claims details, and process codes.
The investigation of the breach finished on April 19, and all impacted people were informed concerning the PHI breach as a precautionary measure. No one submitted reports of misused information to date.
The breach report was lately published on the Department of Health and Human Services’ Office for Civil Rights breach website, indicating 3,193 present and former personnel, dependents, and beneficiaries were impacted by the breach.