On October 5, California-based Gold Coast Health Plan (GCHP) informed the Office for Civil Rights (OCR) that a phishing attack may have exposed the protected health information of 37,005 plan members. The attack occurred when hackers successfully tricked a GCHP employee with a phishing email, which allowed the hackers access to that employee’s email account from June 18, 2018, to August 1, 2018.
According to GCHP, the incident was discovered on August 8, at which point the health plan immediately terminated the attack by disabling the compromised account, requiring a password change, and increasing monitoring to prevent further suspicious activity.
Following the attack, law enforcement was notified, and a leading third-party cybersecurity firm was hired to investigate the breach. The cybersecurity firm was unable to rule out the possibility that any plan member’s personal data was inappropriately accessed or stolen.
Based on the investigation, GCHP believes that the attack was financially motivated, as the majority phishing attacks are, with the hackers attempting to fraudulently transfer the health plan’s funds to their own account.
The breach affected members who submitted claims information via email. Information that may have been compromised by the attack includes member names, dates of birth, ID health numbers, medical procedure codes, and dates of medical service.
Currently, there is no evidence to suggest that any of the potentially compromised information has been misused. GCHP is providing free identity theft protection services to victims of the breach.
As a result of the phishing attack, GCHP has committed to improving their security controls in addition to providing more extensive security awareness training to its employees, particularly regarding phishing emails.