BenefitMall Email Security Breach: PHI of 111K Individuals Compromised

Centerstone Insurance and Financial Services, doing business as BenefitMall, has sent notifications to over 111,000 people alerting them to the potential exposure and theft of some of their protected health information (PHI).

BenefitMall, is based in Dallas, TX, and provided HR, employee benefits, payroll and employer services. It has over 20,000 consultants, brokers, and CPAs throughout the country and is a business associate of several HIPAA-covered entities.

The company discovered on October 11, 2018 that an unauthorized person had accessed the email accounts of some of its employees. A third-party computer forensics company was called in to conduct an investigation and determine the nature and extent of the breach.

The investigators found the first email accounts were accessed in June 2018. Other email accounts were accessed until October 11, the day when BenefitMall detected the attack. The compromised email accounts were promptly secured to prevent the unauthorized person from further accessing the email accounts. The breach occurred as a result of employees’ responses to phishing emails.

An examination of the compromised email accounts showed messages in those accounts contained the private data of patients of its clients. The exposed information was limited to names, addresses, birth dates, social security numbers, bank account numbers, and insurance information.

BenefitMall has now reviewed its email security protections and has increased is defenses against phishing attacks. The company has implemented two-factor authentication on its email system and employees have been given more HIPAA training for employees on security awareness, particularly phishing scams and how to avoid them. Additional training on security awareness and phishing scams will be provided regularly to the workforce.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

The Department of Health and Human Services’ Office for Civil Rights (OCR) has been informed. The breach report sent to OCR indicates 111,589 persons were affected by the breach.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: