BenefitMall Email Security Breach: PHI of 111K Individuals Compromised

Centerstone Insurance and Financial Services, doing business as BenefitMall, has sent notifications to over 111,000 people alerting them to the potential exposure and theft of some of their protected health information (PHI).

BenefitMall, is based in Dallas, TX, and provided HR, employee benefits, payroll and employer services. It has over 20,000 consultants, brokers, and CPAs throughout the country and is a business associate of several HIPAA-covered entities.

The company discovered on October 11, 2018 that an unauthorized person had accessed the email accounts of some of its employees. A third-party computer forensics company was called in to conduct an investigation and determine the nature and extent of the breach.

The investigators found the first email accounts were accessed in June 2018. Other email accounts were accessed until October 11, the day when BenefitMall detected the attack. The compromised email accounts were promptly secured to prevent the unauthorized person from further accessing the email accounts. The breach occurred as a result of employees’ responses to phishing emails.

An examination of the compromised email accounts showed messages in those accounts contained the private data of patients of its clients. The exposed information was limited to names, addresses, birth dates, social security numbers, bank account numbers, and insurance information.

BenefitMall has now reviewed its email security protections and has increased is defenses against phishing attacks. The company has implemented two-factor authentication on its email system and employees have been given more training on security awareness, particularly phishing scams and how to avoid them. Additional training on security awareness and phishing scams will be provided regularly to the workforce.

The Department of Health and Human Services’ Office for Civil Rights (OCR) has been informed. The breach report sent to OCR indicates 111,589 persons were affected by the breach.