DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Heads up: Highmark Health will be notifying 300,000 patients of a phishing incident. Watch for your mail this month.

Posted on February 5, 2023 by Dissent

Highmark Health defines itself as a “national, blended health organization” that includes the Highmark Health Plan (a Blue Cross Blue Shield insurer); a regional hospital and physician network; and companies that offer dental solutions, reinsurance solutions, population health management, and technology solutions.

Letters have not gone out yet and will not be going out in the mail until February 13, but Highmark Health will be notifying 300,000 patients of a data security breach that occurred on December 13, 2022, after an employee clicked on a link that they should not have clicked on. The breach was discovered on December 15, 2022.

According to Highmark’s notification letter, seen by DataBreaches, the emails in the employee’s compromised email account may have included various protected health information elements: name, social security number, and enrollment information such as the individual’s group name, identification number, claims or treatment information such as claim numbers, dates of service, procedures, and prescription information. as well as in some cases, financial information, address, phone number, and email address.

Not all individuals had all elements and there are two forms of the letter going out: one to those whose social security number was involved, and one to those who did not have their social security number involved.

In either case, those being notified will read, “While, at this time, we have no evidence that your information was misused, our risk assessment on this incident concluded that notice to you is appropriate. To help protect your identity, we are offering complimentary access to Experian IdentityWorksSM for 24 months at no cost to you.”1

The notification letters, copies of which were provided to the Maine Attorney General’s Office, do not explain why the employee had so many emails in their account that 300,000 people have to be notified.

In response to the incident, Justine Patrick, Chief Privacy and Data Ethics Officer for Highmark Health writes:

Consistent with corporate policies and procedures, Highmark has taken internal actions to safeguard your protected health information. The mailbox was immediately shut down, network blocking was implemented, passwords were reset, and the enterprise will continue to enhance email security controls. Additional training and education has been provided to employees in regard to the Cyber Security Incident to make them aware and help prevent future Cyber/Phishing attempts in the future.


1 Comment: Their wording calling notice “appropriate” may confuse some people into believing that notice in this case was optional. “No evidence of misuse” is not proof that there is no risk, and notice appears to be required under HIPAA for this incident.

 

Update: Their statement of February 10, sent to DataBreaches by a reader.

Category: Breach IncidentsHealth DataPhishingU.S.

Post navigation

← A Tale of Two Breach Notification Rules
Bigger than they knew: Diligent Corp. sends more notifications after discovering hacked data on the internet →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon
  • US govt login portal could be one cyberattack away from collapse, say auditors
  • Two Men Sentenced to Prison for Aggravated Identity Theft and Computer Hacking Crimes
  • 100,000 UK taxpayer accounts hit in £47m phishing attack on HMRC
  • CISA Alert: Updated Guidance on Play Ransomware

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant
  • US State Dept. says silence or anonymity on social media is suspicious

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.