Bankers Life Hack Affects More Than 566,000Company Says Medicare Supplemental Plan Policyholders Among Those Impacted
Bankers Life is notifying more than 566,000 individuals, including Medicare supplemental insurance policyholders, that their personal information was exposed in a hacking incident. Employee credentials were compromised, enabling unauthorized third parties to gain access to certain company websites containing personal data on policyholders and applicants, the insurer says.
The incident, which was reported by Bankers Life's parent company, CNO Financial Group, to the Department of Health and Human Services as an "unauthorized access/disclosure" breach, is the fifth largest incident added to the HIPAA Breach Reporting Tool website so far this year. Commonly called the "wall of shame," the HHS website lists health data breaches impacting 500 or more individuals.
In an Oct. 25 statement, Bankers Life says it learned about the incident on August 7.
An investigation by an external forensics firm revealed that unauthorized third parties accessed credentials of "a limited number" of Bankers Life employees between May 30 and September 13, according to the statement.
"During this period, unauthorized third parties used improperly obtained employee information to gain access to certain company websites, potentially resulting in unauthorized access to personal information of policyholders and applicants," the insurer says. "Based on the investigation, the company has no reason to believe that its systems or network have been otherwise compromised."
The company says it took steps to further restrict and monitor access to systems and enhance its security procedures.
"Federal law enforcement informed Bankers Life that disclosure of the incident could interfere with or impede its investigation," the insurer says. "Once this concern was removed, the company promptly notified consumers and regulators as required by law and additional individuals whose information may have been accessed."
Personal information that may have been inappropriately accessed includes names, addresses, dates of birth, insurance information - such as application or policy number, types of insurance, premiums, dates of service and claim amounts - and the last four digits of Social Security numbers, the statement says.
"Except for a limited group of individuals, the investigation has not identified any unauthorized access to full Social Security numbers, driver's license or state identification card numbers, bank account numbers, or medications, diagnosis or treatment plan information. In addition, based on the investigation, no credit or debit card information was accessed," the statement notes.
Nevertheless, the company says it's offering free identity repair and credit monitoring services to individuals affected.
Bankers Life is the marketing brand of Bankers Life and Casualty Co., Medicare supplement insurance policies sold by Colonial Penn Life Insurance Co. and select policies sold in New York by Bankers Conseco Life Insurance Co., the statement adds.
Some of the largest health data breaches to date have been reported by health insurers. For example, Anthem Inc. reported a 2014 cyberattack that compromised data of nearly 80 million individuals.
" It's all about the volume of personally identifiable data," says Kate Borten, president of the privacy and security consulting firm, The Marblehead Group. "Most health plans have large numbers of plan member records, and they contain details that bring money on the black market."
The largest breach added to the HHS breach reporting website so far this year was reported in July by Iowa Health System, which operates under the name UnityPoint. That incident involved a phishing attack and impacted 1.4 million individuals.
The Bankers Life incident, because it involved attackers obtaining credentials of some Banker Life employees, also may have involved a phishing attack. The company did not immediately respond to Information Security Media Group's request for additional details about the breach.
Despite many companies' training and other efforts to help prevent employees falling for phishing schemes, the attacks are increasingly tricky to stop.
"The days of poorly spelled phishing attempts are generally behind us. Today's phishing attempts are much more sophisticated, often coming from a known sender whose account was hacked," says privacy attorney Adam Greene of the law firm Davis Wright Tremaine.
"No matter how good your education efforts are, 100 percent perfect compliance is unlikely. Accordingly, it is often best to supplement educational efforts with technical safeguards, such as software that checks links in emails, or multifactor authentication for all accounts that could become compromised."
Borten notes: "Phishing will continue to be a gaping hole in our security defenses since success or failure comes down to each individual."