According to officials, several employees of LCP Transportation, an MHS vendor, responded to phishing emails which gave a hacker remote access to these accounts for more than a month.
Due to its sensitive nature, medical data is worth much more for hackers than credit card details, resulting in a growing number of healthcare data breaches globally. The handling of health data is governed by complex regulations all over the world. To comply with them, healthcare organizations need to ensure the secure storing and sharing of protected health information (PHI).
SkyFlok is a HIPAA compliant file sharing service that helps healthcare professionals and researchers securely manage files and collaborate within departments and with external vendors.
Protect your patents’ data and ensure secure sharing of important files with SkyFlok!
LCP Transportation disabled the impacted accounts on September 7.
The vendor launched an investigation in partnership with a third-party forensics firm. Officials said they found the emails contained patient data, which included names, insurance ID numbers, addresses, dates of birth, dates of service, and medical conditions.
LCP Transportation notified MHS about the breach on October 29. MHS then launched its own investigation. Notifications went out on December 20, and all patients are being offered a year of free credit monitoring.
“We have tested the email process with them to ensure it is working correctly,” MHS said in a statement. “Our vendor is making improvements to their system security and conducting employee training about cyber risks.”
The same day MHS notified patients of the third-party vendor hack, officials announced a second breach caused by a mailing error. On October 16, protected health information was unintentionally disclosed when a letter about a pharmacy change was incorrectly mailed to the wrong member.
Officials learned of the event on October 25. The information contained the names, insurance IDs, and medication information of about 576 plan members.
According to the notice, MHS is calling patients to retrieve all of the letters mailed to the wrong recipients. Officials are also reinforcing mailing policies and procedures around patient data and reviewing the process around sending mailing addresses to its national mailing center.
MHS joins two other organizations that reported multiple breaches in December. Blue Cross Blue Shield of Michigan reported a laptop theft and a ransomware attack on its service provider, Wolverine Solutions.