DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Heads up: Highmark Health will be notifying 300,000 patients of a phishing incident. Watch for your mail this month.

Posted on February 5, 2023 by Dissent

Highmark Health defines itself as a “national, blended health organization” that includes the Highmark Health Plan (a Blue Cross Blue Shield insurer); a regional hospital and physician network; and companies that offer dental solutions, reinsurance solutions, population health management, and technology solutions.

Letters have not gone out yet and will not be going out in the mail until February 13, but Highmark Health will be notifying 300,000 patients of a data security breach that occurred on December 13, 2022, after an employee clicked on a link that they should not have clicked on. The breach was discovered on December 15, 2022.

According to Highmark’s notification letter, seen by DataBreaches, the emails in the employee’s compromised email account may have included various protected health information elements: name, social security number, and enrollment information such as the individual’s group name, identification number, claims or treatment information such as claim numbers, dates of service, procedures, and prescription information. as well as in some cases, financial information, address, phone number, and email address.

Not all individuals had all elements and there are two forms of the letter going out: one to those whose social security number was involved, and one to those who did not have their social security number involved.

In either case, those being notified will read, “While, at this time, we have no evidence that your information was misused, our risk assessment on this incident concluded that notice to you is appropriate. To help protect your identity, we are offering complimentary access to Experian IdentityWorksSM for 24 months at no cost to you.”1

The notification letters, copies of which were provided to the Maine Attorney General’s Office, do not explain why the employee had so many emails in their account that 300,000 people have to be notified.

In response to the incident, Justine Patrick, Chief Privacy and Data Ethics Officer for Highmark Health writes:

Consistent with corporate policies and procedures, Highmark has taken internal actions to safeguard your protected health information. The mailbox was immediately shut down, network blocking was implemented, passwords were reset, and the enterprise will continue to enhance email security controls. Additional training and education has been provided to employees in regard to the Cyber Security Incident to make them aware and help prevent future Cyber/Phishing attempts in the future.


1 Comment: Their wording calling notice “appropriate” may confuse some people into believing that notice in this case was optional. “No evidence of misuse” is not proof that there is no risk, and notice appears to be required under HIPAA for this incident.

 

Update: Their statement of February 10, sent to DataBreaches by a reader.

Related posts:

  • Highmark’s statement on the Excellus BlueCross BlueShield security breach.
  • Mailing and printing vendor issues breach notice on behalf of more than three dozen health plans
  • Yet another mailing error from Blue Cross Blue Shield of Florida?
  • Blue Cross Blue Shield Association to offer all members nationwide free identity theft protection service
Category: Breach IncidentsHealth DataPhishingU.S.

Post navigation

← A Tale of Two Breach Notification Rules
Bigger than they knew: Diligent Corp. sends more notifications after discovering hacked data on the internet →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit
  • British national “IntelBroker” charged with causing $25 million in damages; U.S. seeks his extradition from France
  • France issues press statement about arrest of ShinyHunters members
  • Patients Allege Home Delivery Pharmacy Failed to Timely Notify Them of Data Breach
  • Hackers breach Norwegian dam, open valve at full capacity

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions
  • NY Attorney General James Affirms Hospitals Must Provide Access to Emergency Abortion Care
  • How Internet of Things devices affect your privacy – even when they’re not yours
  • Sky Views Personal Data as a Potential Weapon in IPTV Piracy War
  • Florida Used a Nationwide Surveillance Camera Network 250 Times To Aid in Immigration Arrests
  • Federal Court Strikes Down HIPAA Reproductive Health Care Privacy Rule

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.