Insurance Broker Notifying 1.5 Million of Health Info Hack

A California insurance broker that handles employee benefits, workers’ compensation and property liability is notifying more than 1.5 million individuals about a ransomware and data exfiltration attack last August that compromised health insurance information, passport numbers and Social Security numbers.

See Also: OnDemand Panel | Securing Operational Excellence: Thwarting CISOs 5 Top Security Concerns

Torrance, California-based Keenan & Associates reported the hacking incident on Monday as affecting nearly 1.51 million individuals.

Keenan & Associates in a statement to Information Security Media Group said the data affected in the incident pertained “to certain clients and a limited number of employees.”

Information potentially compromised in the incident includes individuals’ names; birthdates; numerical identifiers such as Social Security, passport number and driver’s license; health insurance information; and general health information.

The broker said that on Aug. 27 it had discovered certain disruptions occurring on some Keenan & Associates network servers. “Within hours of identifying the cybersecurity incident, we had contained it,” the company told ISMG.

Keenan & Associates also notified the FBI.

An investigation determined that an unauthorized party had gained access to certain internal systems at various times for about a week, between Aug. 21 and Aug. 27.

Keenan & Associates declined ISMG’s request for additional details about the incident, including the type of customers affected by the hack and whether the firm would report the breach to federal regulators as a HIPAA breach.

Depending upon the type of entity whose data was affected, the Keenan incident may or may not be considered a reportable HIPAA breach involving the compromise of protected health information. Information pertaining to an employee health plan would likely fall under the HIPAA banner, but workers’ compensation or other kinds of casualty insurance might not, said an attorney who asked not be named.

Third-Party Risks

The attack on Keenan & Associates appears to be part of a trend that has plagued many other firms that provide critical services to healthcare sector and related entities, some experts said.

“Insurance companies, revenue cycle management firms, third party administrators, billing companies, and other business associates – they are being highly targeted,” said Steve Cagle, CEO of privacy and security consultancy Clearwater.

These types of third-party services firms are falling victim to the same types of attacks hitting healthcare providers and related organizations directly, he said. “It’s very similar techniques to what we’re seeing across all industries.”

The techniques include attacks involving ransomware, data exfiltration, social engineering and exploitation of IT vulnerabilities, Cagle said. “That continues to be a source of many attacks. There’s been a very large number of vulnerabilities that have been exposed,” he said.

Making matters even riskier is that many third parties, especially smaller firms, “might not be at the same level of maturity, and therefore they might have more vulnerabilities,” he said. “They might have more exposures, plus they have a lot of data.”

“All these firms really should be bolstering their security programs,” Cagle said.

To help prevent a similar type of incident from occurring in the future, Keenan & Associates said it has implemented additional security protocols designed to enhance the security of its network, internal systems and applications. “Keenan will also continue to evaluate additional steps that may be taken to further increase our defenses.”