About 300k Highmark members could be potential victims of data breach
PITTSBURGH (KDKA) - Highmark has been the latest victim of a hack attack.
The breach led to 96,000 members in Pennsylvania and nearly 300,000 across the country potentially had their private information exposed.
The breach took place between December 13 and 15. Highmark said an employee clicked on a link in a phishing email, which then allowed the hacker to access the files.
Highmark said it has not discovered any evidence to date that data potentially accessed because of the breach has been used fraudulently.
KDKA's Meghan Schiller interviewed a cybersecurity expert who said he's critical of Highmark saying it didn't yet find any evidence.
"Have you reached out to the adversary and found out that?" asked cybersecurity expert Albert Whale. "No, they're just holding it in escrow for you to pay them. No, nobody does that. As soon as they get the data, it's either out on the dark web or to one of their vendors, suppliers, or clients so that they can do something with it."
Highmark announced the breach this week, nearly two months later. KDKA-TV asked about the lag and was told the investigation took more than a month and involved an external forensic firm. Highmark added the notice falls within the HIPPA breach requirements.
Whale didn't mince words about the seriousness of a data breach potentially impacting 300,000 people.
"The problem with getting breached like this is people say, 'I don't have anything they could want' and that's the furthest thing from the truth. They want access. You're here in this country and they're not," said Whale.
Highmark says it will notify everyone potentially affected with a letter in the mail, adding the compromised data could include names, enrollment information, claim information, prescription information, dates of birth, driver's license numbers, passport numbers, social security numbers and financial information.
Whale passed along a few tips to get people started if they fall victim to the breach:
- Call the three credit bureaus and freeze your credit at no cost to stop any new credit accounts from being opened in your name
- Change your passwords
- Pay attention to your bank accounts and credit card statements for the foreseeable future
Highmark tells KDKA it has implemented a "robust action plan to bolster employee training on phishing email threats to prevent future incidents of this nature."
The notices have all been mailed out as of Friday, and depending on where people live, they should receive them within the next two to five days.
Highmark is required to notify affected members by mail per federal HIPAA/HITECH breach requirements.
Highmark said it is monitoring the "dark web" with its intelligence partners to identify any data that made its way to the dark web for fraudulent purposes.
The company launched a dedicated hotline for people to learn if they're affected: 800-459-4092. That hotline went live Friday at 9 a.m. and will be open for customers from 9 a.m. until 9 p.m. Monday through Friday.
