Email Security Breaches At MultiPlan and Hawaii Independent Physicians Association

The medical payment billing service provider MultiPlan made an announcement a breach of its email environment. On January 27, 2021, suspicious activity was seen in the email account of one employee. The action was quickly done to end unauthorized access. The credentials of the worker’s email were altered.

MultiPlan right away started an investigation to figure out the nature and extent of the breach, with support given by forensics professionals. The investigation established that the primary objective of the attack was to change wire transfers from the clients of MultiPlan hoping to pay invoices. The attacker used the compromised email account to speak with those clients concerning billing and to try to reroute payments to their accounts.

Although the attackers didn’t appear to target protected health information (PHI), the breached email account was discovered to have the PHI of 214,956 people. That data might have been looked at or acquired by the attacker from December 23, 2020 to January 27, 2021.

The types of data contained in the account were full names, emails, physical addresses, birth dates, healthcare company names, medical record numbers, cost/date of medical services, claims identifiers, medical insurance ID numbers, Social Security numbers, group IDs, and member IDs.

MultiPlan has informed all impacted persons and will be paying for the cost of two years of credit monitoring. Extra protocols and procedures have already been put in place to avoid further email account breaches down the road.

Email Account Breach at Hawaii Independent Physicians Association

Hawaii Independent Physicians Association (HIPA) is sending notifications to 18,770 patients regarding a security breach that involves a subcontractor’s email account.

HIPA determined on February 4, 2021 that an unauthorized person obtained access to the email account. The covered entity promptly stopped external access to the account and asked all HIPA users to modify their login information for their site and email accounts as a safety measure. With the assistance of a third-party cybersecurity company, HIPA established the breach only affected one email account which had the protected health information (PHI) of patients of its physicians.

The compromised account contained these types of data: full names, home addresses, dates of birth, and details concerning the overall health condition of patients. There was no proof of unauthorized information access found, however, the probability that PHI was seen or gotten can’t be eliminated.

The cybersecurity agency looking into the breach made suggestions to enhance email protection and HIPA is now applying the recommended adjustments.