BHI Energy Health and Welfare Benefits Plan

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

On June 29, 2023, BHI Energy discovered that their network had been encrypted by an unknown source. A subsequent investigation revealed that an unauthorized user had accessed and downloaded business records, some of which contained personally identifiable information (PII) and protected health information (PHI) of beneficiaries of BHI’s self-insured employer-sponsored health plan. The compromised data included names, addresses, dates of birth, Social Security numbers, and potentially medical and claims information related to BHI’s health plan[1][4].

The breach was initially detected when BHI Energy’s internal IT team noticed the encryption phase of the attack on June 29, 2023. It was later found that the attackers, identified as the ransomware group Akira, had initially accessed the network on May 30, 2023, using a compromised account of a third-party contractor. The attackers had performed extensive network and data reconnaissance before beginning to exfiltrate data on June 18th, which totaled approximately 690 GB, including the PII of current and former employees and the company’s entire Active Directory database[7].

Upon detecting the breach, BHI Energy took immediate action, including notifying law enforcement, securing its systems, and engaging a third-party cybersecurity firm for investigation. The company was able to recover all encrypted data without paying a ransom due to its backup system. As a response to the incident, BHI Energy has reviewed and is enhancing its privacy and security policies and procedures, and has provided free credit and identity monitoring services for two years to the affected individuals[1][4].

BHI Energy filed a notice of data breach with the Attorney General of Maine and began sending out data breach notification letters to the affected individuals on October 18, 2023. The breach affected the confidential information of approximately 91,000 individuals[4].

The company is based in Weymouth, Massachusetts, and provides specialty services and staffing solutions to various industries, including industrial, oil & gas, power generation, and transmission & distribution. It employs over 8,500 people and generates around $6.6 billion in annual revenue[4].

Citations:

  1. https://www.bhienergy.com/data-security-incident/
  2. https://oag.ca.gov/privacy/databreach/list
  3. https://www.news18.com
  4. https://www.jdsupra.com/legalnews/bhi-energy-announces-data-breach-3543397/
  5. https://consumer.sc.gov/identity-theft-unit/security-breach-notices
  6. https://www.hubspot.com/flywheel
  7. https://www.halock.com/us-energy-services-company-suffers-data-breach-and-ransomware-attack/
  8. https://apps.web.maine.gov/online/aeviewer/ME/40/list.shtml
  9. https://en.wikipedia.org/wiki/Free_trade
  10. https://www.thelyonfirm.com/blog/bhi-energy-data-breach-investigation/
  11. https://breachdata.topwords.me/states/MA?limit=20&offset=40&sort=data_source
  12. https://colevannote.com/investigations/
  13. https://www.securityweek.com/in-other-news-energy-services-firm-hacked-tech-ceo-gets-prison-time-x-glitch-leads-to-cia-channel-hijack/
  14. https://dojmt.gov/consumer/databreach/
  15. https://konbriefing.com/en-topics/cyber-attacks.html
  16. https://abingtonlaw.com/BHI-Energy-Data-Breach-class-action-lawsuit.html
  17. https://www.hipaajournal.com/ambulances-diverted-after-westchester-medical-center-health-network-cyberattack/
  18. https://www.defensorum.com/cyberattacks-on-westchester-medical-center-health-network-fellowship-village-meadville-medical-center-and-bhi-energy-health-plan/
Breach Submission Date Oct 18, 2023
Converted Entity Name BHI Energy Health and Welfare Benefits Plan
Converted Entity Type Health Plan
State MA
Individuals Affected 4,049
Breach Type Hacking/IT Incident

Breach Information Location Network Server

Business Associate Present Yes