A phishing attack at Union Labor Life Insurance (ULLI) has compromised the protected health information (PHI) of more than 87,000 individuals.
ULLI, a subsidiary The Ullico Inc., discovered the attack shortly after it commenced on April 1, 2019. The IT department successfully managed to revoke unauthorized access within 90 minutes of the account being compromised.
The attack was attributed to an employee responding to a compelling phishing email. The hacker had disguised the email as a genuine request from a business partner. Once the employee followed the instructions in the email, the hacker was able to harvest the login credentials and hijack the account.
ULLI had cybersecurity systems in place which alerted the information technology department to the unauthorized remote access. This security measure allowed them to respond to the threat quickly and significantly mitigate the amount of damage the hacker could do to their systems. The hacker had limited time to access, alter, or exfiltrate any data stored in the email account.
ULLI launched an investigation into the attack to assess whether the hacker had managed to do to any damage during the short period of access. The investigators determined that access was limited to a single email account on one device. However, that email account was confirmed to contain the PHI of plan members in emails and email attachments.
While the investigation found no evidence to suggest patient information was accessed or stolen, the possibility could not be ruled out. As a result, ULLI has decided to notify 87,000 individuals that their data may have been exposed in the breach.
The protected health information that was potentially compromised was limited to names, addresses, dates of birth, Social Security numbers, and some personal health information of plan members and their family members.
Out of an abundance of caution and a gesture of good faith, ULLI has taken the decision to offer all affected individuals 24 months of complimentary credit monitoring and identity theft protection services.
Following HIPAA’s Breach Notification Rule, ULLI submitted a breach report to the Department of Health and Human Services’ Office for Civil Rights.
This incident highlights the need for regular and thorough employee training regarding cybersecurity issues. ULLI had security measures in place which rapidly detected the attack, allowing them to prevent a catastrophic breach, but many organizations cannot afford such measures. Adequate training on how to spot phishing emails goes a long way in protecting against cybersecurity threats to an organization.