There are a number of journalists or sites that monitor news and legal notices for disclosures of breaches involving protected health information (PHI). And it’s tempting, when you see that the entity is a business, to just skip on by. But don’t.
If a business has a health plan for employees, then they may be storing ePHI and may be covered by HIPAA.
Today’s reminder is Navistar. Navistar describes itself as:
Navistar is the Lisle, Illinois-based parent company of International® brand commercial trucks and engines, IC Bus® brand school and commercial buses, all-makes OnCommand® Connection advanced connectivity services, aftermarket parts brands Fleetrite®, ReNEWed® and Diamond Advantage® and Brazilian manufacturer of engines and gensets MWM Motores Diesel e Geradores. With a history of innovation dating back to 1831, Navistar has more than 12,000 employees worldwide and is part of TRATON SE, a global champion of the truck and transport services industry.
When a listing for Navistar data showed up on a marketplace that offers stolen data, I didn’t even bother to look at it — until this week.
This week, I actually read a recent Navistar notification letter and realized they were notifying 63,126 employees enrolled in their health plan or retirees enrolled in their retirement plan of an incident.
In their notification letter, submitted with their report to the Maine Attorney General’s Office, they explain that on May 20, the firm had discovered a breach that had likely occurred prior to May 20. They had notified affected employees in July, but later realized that health plan data were also involved, requiring the re-notification of some employees and notification of others. The types of data involved included:
full name, address, date of birth, and information related to your participation in the Plan, such as information identifying certain of your providers and prescriptions.
But reading through all of Navistar’s documentation, DataBreaches.net also noted this statement:
On May 31, 2021, Navistar received a claim that certain data had been extracted from our IT System. In the course of our investigation, we were able to confirm that an unauthorized third party had accessed and taken certain data from our IT System, including data relating to participants in the Plan.
So was this “claim” a ransom demand related to a ransomware incident? It could have been, but it was not totally clear from the description.
DataBreaches.net sent an email to Navistar to ask if this was a ransomware incident, and to inquire how many of those being notified were health plan enrollees.
No response has been received to our two emails by the time of this publication time, but this post will be updated if one is received.
DataBreaches.net notes that the market in question deals in stolen data but claims that they never list or sell any data that has come from a ransomware attack. So if Navistar indicates that this was a ransomware attack, will the market remove the listing?
DataBreaches.net will continue to follow this incident.
Correction and Update: Navistar called DataBreaches.net yesterday, but I missed the call and voicemail. My apologies for reporting that they hadn’t replied, when they had. They kindly called again today. For now, they are not willing to go beyond the statement they had made about the claim. If that changes, this post will be updated again.