The health insurance agency True Health New Mexico based in Albuquerque, NM began informing a number of health plan members regarding the exposure and possible theft of protected health information (PHI).
True Health New Mexico detected a data breach incident on October 5, 2021, and took steps quickly to protect its IT systems. The agency’s internal incident response team worked with a third-party cybersecurity company to do a forensic investigation of the incident.
According to the investigation report, an unauthorized person had acquired access to its IT programs at the beginning of October and possibly viewed or downloaded files containing protected health information which include names, birth dates, ages, home and email addresses, insurance data, medical details, Social Security numbers, medical account member IDs, date(s) of service and provider data.
True Health New Mexico stated while distributing notification letters, there was no proof found that indicate the misuse of members’ data; nevertheless, as a preventative measure against identity theft and fraud, the company offered the affected persons free credit monitoring and identify theft protection services.
The health insurance agency already reported the cyberattack to law enforcement, which began a criminal investigation. The agency also reported the data breach to the HHS’ Office for Civil Rights indicating that 62,983 people were affected.
Educators Mutual Insurance Association Data Breach
Educators Mutual Insurance Association (EMIA) based in Murray, UT learned that an unauthorized person got access to its computer system from July 29, 2021, to August 10, 2021, and possibly viewed or acquired the PHI of some members.
EMIA detected the breach on August 23, 2021, with the succeeding investigation affirming the installation of malware on its network. An analysis of the files located in the compromised system showed the inclusion of the PHI of members such as names, dates of birth, addresses, clinical data, medical insurance ID numbers, Social Security numbers, and driver’s license numbers. EMIA believes that the complete financial numbers of members had not been compromised.
A third-party cybersecurity company was hired to do a forensic investigation that is still not yet finished at this time. Although there is no evidence that patient information had an attempted or actual misuse, EMIA advised the affected persons to stay cautious against cases of identity theft.
EMIA states it will do a regular audit of its system to detect unauthorized system activity and is going to improve its network monitoring software programs.