Recently, Benefit Plan Administrators, Inc. confirmed that the company suffered a data breach after an unauthorized party gained access to the company’s computer network and sensitive consumer data contained on the network. According to the BPA, the breach resulted in the compromise of full names, social security numbers, addresses, dates of birth, gender classification, claims information, medication information and information. on medical diagnoses/conditions. On June 15, 2022, BPA filed a formal notice of breach and sent data breach letters to all affected parties.
If you have received a data breach notification, it is essential that you understand what is at risk and what you can do about it. To learn more about how to protect yourself against fraud or identity theft and what legal options are available to you following a breach of benefits plan administrator data, please see our recent article on the subject. here.
What We Know About the Benefit Plan Administrators Data Breach
According to an official notice filed by the company, administrators of the benefits plan detected a network security breach on an unknown date. While the company did not reveal the exact day it discovered the breach, it did confirm that in response it launched a prompt and thorough investigation in consultation with outside cybersecurity professionals.
On March 15, 2022, as a result of this investigation, BPA learned that the incident involved an unauthorized party accessing certain files on the company’s network and potentially deleting them.
After discovering that sensitive consumer data was accessible to an unauthorized party, benefits plan administrators then reviewed the affected files to determine exactly what information had been compromised. Although the information disclosed will vary depending on the person, it may include your full name, social security number, address, date of birth, gender, claims information, medication information, and information about medical diagnoses/conditions.
Clearly, the data breached involved individuals associated with Alpha Natural Resources Non-Union VEBA Trust and Williamson Employment Services, Inc. BPA is classified as a business associated with each of these organizations.
On June 15, 2022, benefits plan administrators sent data breach letters to everyone whose information was compromised as a result of the recent data security incident. BPA subsequently provided notice to various state agencies as required by state and federal law.
More information about Benefit Plan Administrators, Inc.
Benefit Plan Administrators, Inc. is a company that acts as a third-party administrator of self-insured benefit plans. BPA is based in Roanoke, Virginia, and was founded in 1965. The company works with public and private employers to create personalized health benefit plans. BPA primarily arranges for clients to receive care through Cigna, First Health and Prime Health Services; however, BPA also facilitates care by directly contracting with certain hospitals. Benefit Plan Administrators employs over 43 people and generates approximately $10 million in annual revenue.
What is protected health information and why is it so important?
The benefits plan administrator data breach affected a wide range of patient data. Although the company did not use the term “protected health information” in its letter to affected parties, based on the company’s disclosures, the breach resulted in the leaking of protected health information.
Protected health information means identifying information relating to a patient’s health condition. It also includes data related to how a patient pays for healthcare, such as insurance information. However, for the data to be considered protected health information, it must contain at least one identifier. An identifier is additional data that hackers can use to identify a patient. Some of the more common identifiers include:
Any geographic identifier more specific than a state;
Biometric identifiers, including fingerprints;
Full name or surname with an initial;
Full-face images or other identifying photographs;
medical record numbers;
Telephone numbers; and
Social security numbers.
The upshot is that when protected health information is exposed, it means a hacker or other malicious actor can use the data to identify the patient with little or no effort. While this is certainly alarming, the real issues with healthcare data breaches aren’t obvious to most.
The consequences of a healthcare data breach can be serious. For example, by obtaining protected health information, a hacker has enough information to steal the patient’s identity. However, identity theft in healthcare is typically harder to solve and costs patients far more than traditional data breaches that only affect social security numbers and financial information.
In addition to the typical risks of fraud and unauthorized transactions, healthcare data breaches endanger the physical health of patients. For example, if a hacker sells a patient’s data to a third party, the third party can then use the information to obtain medical care on the patient’s behalf. During the treatment, the “false patient” can provide doctors with information about themselves that will end up in your medical file. For example, a fake patient might give a surgeon a list of their allergies, past procedures, or medications that don’t match the real patient’s medical history. This may result in a patient’s medical record containing inaccurate information.
Healthcare data breaches pose very real risks, and those who fall victim to such a breach should ensure they take the necessary steps to protect themselves.