Highmark Inc

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

In December 2022, Highmark Inc., a Pennsylvania-based health insurer, experienced a significant data breach affecting approximately 300,000 members. The breach occurred between December 13 and December 15, 2022, when an employee clicked on a malicious phishing email link, compromising their email account. This incident allowed unauthorized access to files containing sensitive member information, including names, Social Security numbers, financial account information, insurance information, and protected health information[2][5][8].

Highmark Inc. responded to the breach by shutting down the affected email account, blocking its networks, resetting passwords, and conducting an investigation to determine the extent of the data exposure[5]. The company confirmed that some emails and attachments within the compromised account contained confidential patient information. As a result, Highmark began reviewing the affected files to identify the compromised information and the individuals impacted[5].

The information potentially disclosed due to the breach includes names, enrollment information (such as group name and identification number), claims or treatment information (including claim numbers, dates of service, and procedures), prescription information, dates of birth, email addresses, phone numbers, driver’s license numbers, passport numbers, and in some cases, Social Security numbers and financial information[8][11].

Highmark Inc. has taken steps to notify all affected individuals by mail and has offered them 24 months of Experian identity theft monitoring services[12]. The company has also implemented additional preventative and monitoring controls and engaged third-party digital forensics to determine the full extent of the breach[8]. Highmark emphasizes that, to date, there has been no evidence that the data accessed has been used fraudulently[8][13].

This breach highlights the ongoing risks and challenges organizations face regarding cybersecurity, particularly the threat posed by phishing attacks. It also underscores the importance of robust security measures, employee training on recognizing phishing attempts, and rapid response protocols to mitigate the impact of such incidents.

Citations:

  1. https://www.highmark.com/newsroom/press-releases/highmark-notifies-members-about-data-breach
  2. https://www.schneiderdowns.com/our-thoughts-on/2022-highmark-data-breach-patients-data
  3. https://www.doj.nh.gov/consumer/security-breaches/documents/highmark-health-20230626.pdf
  4. https://www.kbtx.com/2024/01/11/nationwide-healthcare-data-breach-impacting-brazos-valley-patients/
  5. https://www.jdsupra.com/legalnews/highmark-inc-announces-data-breach-1155706/
  6. https://www.highmark.com/newsroom/press-releases/highmark-makes-an-impact-in-the-fight-against-health-care-fraud-waste-and-abuse-in-2023
  7. https://healthitsecurity.com/news/highmark-health-welldynerx-others-report-healthcare-data-breaches
  8. https://www.abc27.com/pennsylvania/highmark-reports-data-breach-affecting-approximately-300000-members/
  9. https://www.wgal.com/article/highmark-data-breach-may-have-exposed-information-of-300000-customers/42829378
  10. https://www.prnewswire.com/news-releases/highmark-health-reports-13-6-billion-in-revenue-389-million-net-income-and-230-million-operating-gain-for-first-half-of-2023–301912248.html
  11. https://www.wpxi.com/news/local/highmark-data-breach-affecting-300000-members/ZJA543CUWZGIBKXEHUQFU4NYLE/
  12. https://healthitsecurity.com/news/highmark-health-suffers-phishing-attack-300k-individuals-impacted
  13. https://www.cbsnews.com/pittsburgh/news/highmark-launches-hotline-for-members-who-may-have-been-victims-of-data-breach/
  14. https://www.hipaajournal.com/highmark-health-phishing-attack-affects-300000-patients/
  15. https://www.pennlive.com/health/2023/02/highmark-data-breach-gives-access-to-private-information-of-about-300000-customers.html
  16. https://apps.web.maine.gov/online/aeviewer/ME/40/67bb2ced-9a70-4248-b728-68a92a56c860.shtml
Breach Submission Date Feb 10, 2023
Converted Entity Name Highmark Inc
Converted Entity Type Business Associate
State PA
Individuals Affected 36,600
Breach Type Hacking/IT Incident

Breach Information Location Email

Business Associate Present Yes