Horizon Actuarial Services Data Theft Affects MLB Players Benefit Plan Members


Threat actors have exploited the networks of Horizon Actuarial Services, whose clients include the Major League Baseball Players Benefit Plan. Pictured: A baseball with the MLB logo is seen at Citizens Bank Park before a game between the Washington Nationals and Philadelphia Phillies on June 28, 2018 in Philadelphia. (Photo by Mitchell Leff/Getty Images)

Threat actors have exploited the networks of Horizon Actuarial Services in November, stealing data belonging to consulting service providers and two client groups: the Major League Baseball Players Benefits Plan and the Chapter Employers Group Welfare Fund local 295 IBT.

On November 12, the hacking group notified Horizon Actuarial in an email that it had stolen copies of personal data from its servers. Horizon Actuarial contacted law enforcement and secured its network with the help of third-party cybersecurity specialists.

Horizon also “negotiated with the group and paid in exchange for an agreement that it would delete and not distribute or misuse the stolen information.” Security researchers have long warned organizations not to trust such claims, given the criminality of hacking and evidence showing that some groups forge “evidence” of removal.

The subsequent investigation confirmed that the hackers had access to Horizon’s computer servers for two days between November 10 and 11, 2021. During this time, they were able to steal health information belonging to plan participants. and their family members.

The stolen data included names, dates of birth, social security numbers and health plan information. Horizon Actuarial reported the violation to the Department of Health and Human Services as affecting 38,418 patients, while the MLB plan filed notice for 13,156 people and Local 295 filed for 6,123 patients.

Affected plans were notified of the exfiltration incident on January 13, and Horizon waited until March to send its own notifications, well outside the 60-day Portability and Accountability Act requirement. health insurance.

New Jersey Spine ransomware attack affects 92,000 patients

New Jersey Brain and Spine recently notified 92,453 patients that their data was likely accessed in a ransomware attack deployed in November. The investigation is ongoing, which may result in further notice to those affected.

The NJBS discovered that its networks and some systems were encrypted by a cyberattack on November 16, 2021. Once the systems were secured, the security team worked to restore the impacted systems and operations.

While the NJBS is still working on the “data mining” process, the investigation has so far concluded that the attacker may have accessed patient data during the attack. Compromised data can include names, social security numbers, contact details, financial account details, debit or credit card information, driver’s licenses and medical information.

“Since the incident, NJBS has migrated to a third-party cloud-hosted platform to securely store patient data, implemented two-factor authentication, installed a new server, and set up a Continuous monitoring response that tracks user, service, and port activity and coordinates logging, based on notification.

The notice does not explain why patients were notified outside of the HIPAA 60-day requirement.

North Texas Clinic Cyberattack Leads to Data Access and Possible Theft

The data belonging to 76,302 patients was potentially accessed or stolen in a cyberattack deployed against North Texas LLP’s clinic in November 2021. CNT is a healthcare network comprised of over 36 provider offices based in Wichita Falls, TX.

The cyberattack was first detected on November 9, 2021, prompting the launch of a forensic investigation with the support of a third-party cybersecurity firm. On January 24, investigators determined that the attackers may have accessed or acquired protected health information.

Notably, it appears that the impact was contained in a folder stored in the affected systems, signaling the use of encryption or proper segmentation. Thus, the data impacted was limited to the names, addresses, dates of birth of patients and certain health data. CNT pointed out that the hacked file did not contain any SSN, driver’s license, credentials or financial data.

CNT has since reset all admin passwords, implemented two-factor authentication, and deployed endpoint detection and response and threat hunting tools to prevent recurrence.

Wheeling Health ransomware attack leads to access to patient data

A ransomware attack deployed against Wheeling Health in January led to the possible access to patient health information. Currently, there are no reported data leaks or attempted misuses.

After securing the systems, Wheeling Health engaged with an external data breach remediation company to investigate and “decrypt, recover and rebuild our systems”. The team also reset all end user passwords.

Investigation into the scope of the incident confirmed that the hacker may have accessed some patient information during the attack, including names, contact details, social security numbers, driver’s licenses , medical record numbers, income and tax information, and health information of “patients who have requested or received services from Wheeling Health Right.

Wheeling Health has since implemented MFA for employee email accounts and installed endpoint detection and response tools, alongside other security measures. The provider is currently working to implement new safeguards, while revising its privacy and security policies and procedures and increasing employee cybersecurity training.

In short

Several recent incidents related to healthcare safety have been reported to the attorneys general of Texas and Massachusetts. Due to state reporting requirements, the notices provide few details outside of the number of affected patients.

  • A hacking incident reported by Direct dialysis at HHS compromised the health data of 14,203 patients. Texas AG notice shows patient names, contact details, SSNs, driver’s licenses, government IDs, financial details, medical data and health insurance information were compromised during incident.

The Massachusetts notice shows the breach was caused by a phishing attack that led to an employee’s email account being hacked. There are no details on when it was first discovered. But the review showed the hack lasted for over a month, starting in January 2021.

  • Texas-based AlixaRX notified Texas AG of a “data security breach” that impacted the names, addresses, social security numbers, health data, and health insurance information of a undisclosed number of patients. No further details are available, as AlixaRX has not published a review on its website.

More information has surfaced about the JDC Healthcare Management data theft incident, first reported earlier this month. The Texas AG filing reveals the theft — which stemmed from a malware attack — affected more than 1.03 million Texans. As it stands, this is the second largest healthcare data breach reported in 2022 so far.

Previous OnPoint Principal Says Benefits Plan Inspection Can Save Money
Next [Ongoing Program] Attract and retain? Who, and for how long? Benefit Plan Designs and Considerations for a 21st Century Post-COVID World - April 19, 2:00 p.m. - 3:00 p.m. ET | BakerHotelier