The following press release is by what appears to be a business associate under HIPAA. It does not name the covered entities whose patients or insured members may have been impacted. Will we see notices from those covered entities? Probably not, unless more than 500 were affected for a particular covered entity. The notice also does not indicate when Select Health first became aware that there was likely a problem. Did they learn about it in June and then lock out the attacker? Or did they first learn about it in August or September? And how did they first learn about it?
MISHAWAKA, Ind., Nov. 13, 2019 /PRNewswire/ — Select Health Network (“Select Health”), provides a provider network to certain health plans and additional services to healthcare providers, and today issued notice of a recent event that may impact the privacy of personal information for current or former members of these plans or healthcare providers.
Select Health recently concluded an investigation into unusual activity related to an employee email account. Upon learning of the suspicious activity, Select Health immediately took steps to secure the email account and began working with third-party forensic experts to determine the nature and scope of the incident. The investigation confirmed that that the Select Health employee email account was accessed by an unknown actor from May 22, 2019 to June 13, 2019.
The investigation was unable to determine with forensic certainty what emails or attachments, if any, where accessed by the unauthorized actor. In an abundance of caution, Select Health worked with experts to perform a comprehensive review of all information stored in the email account at the time of incident to confirm the identities of the individuals whose information may have been accessible to the unauthorized actor. On October 1, 2019, Select Health received the results of the third-party audit. Select Health immediately began reviewing the results of the audit to determine the identities and contact information for potentially impacted individuals and contact information. On November 1, 2019, Select Health began notifying business partners and certain individuals about this incident.
The following types of information were present in the email account and accessible to the unknown actor, which may include: Name, Address, Date of Birth, Member ID Number, Treating/Referring Physician, Health Insurance Information, Medical History Information, Treatment Information, Treatment Cost Information, Health Insurance Policy Number, and Medical Record Number. For a limited number of individuals, Social Security number may have also been impacted. At this time, there is no evidence of any actual or attempted misuse of the information accessible within the email account. No financial account information was impacted as a result of this event.
Select Health is notifying potentially affected individuals by this posting, notification on its website, and by mailing letters to potentially affected individuals.
Select Health established dedicated assistance lines for members and providers seeking additional information regarding this incident. Members seeking additional information can call our toll-free assistance line at 1-833-935-1364 Monday through Friday, during the hours of 9:00 a.m. to 9:00 p.m., Eastern Time. Providers seeking additional information can call our toll-free assistance line at 1-833-935-1354 Monday through Friday, during the hours of 9:00 a.m. to 9:00 p.m., Eastern Time. Individuals may also write to the Select Health Network at P.O. Box 6249, South Bend, IN 46660.
Members and providers can also find additional information on how they can protect against fraud and identity theft as well as obtain additional resources on Select Health’s website selecthealthnetwork.com and in the letters they will receive by mail. Select Health encourages potentially affected individuals to remain vigilant against incidents of identity theft by reviewing account statements and explanations of benefits for unusual activity and report any suspicious activity immediately to your insurance company, health care provider, or financial institution.
Select Health takes this incident and the security of the information in its care very seriously. Select Health has updated processes to further strengthen its systems to protect personal information and will continue to work with third-party experts to help ensure the highest levels of security.
SOURCE Select Health Network