(Photo credits: Webster, 2019)
One-sentence summary:
300,000 Highmark health insurance customers were breached in 2022 due to a successful phishing attempt.
Who was involved?
300,00 Highmark health insurance customers, a threat actor, and Highmark Inc.
What was the timeline?
December 13-15, 2022: Employee was phished and breach was active.
December 15, 2022: The breach was discovered by Highmark.
February 3, 2023: Breach was reported to the Office of the Maine Attorney General (Office of the Maine Attorney General, 2023a).
February 6, 2023: First press release was seen on Highmark’s website (Highmark, 2023).
February 12, 2023: Customers were officially notified of the breach (Office of the Maine Attorney General, 2023b).
What occurred?
A Highmark health insurance employee was successfully phished via a malicious URL, leading to initial access by a threat actor who began accessing PHI (Highmark, 2023, para. 2). Sensitive information, not limited to PHI, was successfully exfiltrated for over 300,000 members. On December 15, Highmark began their incident response and “quickly” began containing the affected user (Highmark, 2023, para. 3). Information leaked included “dates of service, procedures, prescription information, dates of birth, email addresses, phone numbers, driver’s license number, passport number” and even “social security numbers and financial information” (Highmark, 2023, para. 5).
Estimated costs:
Data breach notification costs (including 7 day/week “dedicated call center”), identify theft monitoring for “24 months,” as well as “third-party digital forensics” costs (Highmark, 2023, paras. 3,7; Office of the Maine Attorney General, 2023a, para. 4).
Involved laws:
HIPAA and HITECH.
State laws (Maine): 10 M.R.S.A. § 1346.
Root cause:
Phishing: employee was successfully phished via an emailed malicious URL.
Lessons learned:
User awareness training is critical for any user with any public-facing access (e.g., email, phone, etc.). Mail gateways must also be employed and synchronized with threat intelligence sources to quickly detect and quarantine malicious links/files and flag/remove suspected phishing emails. Having a 24/7 SOC to monitor inbound email traffic and potentially flag suspicious activity through the entire kill chain/MITRE framework can also help quickly stop or contain incidents.
Example solutions:
User Awareness:
Knowbe4 https://www.knowbe4.com/products/kevin-mitnick-security-awareness-training/
Proofpoint https://www.proofpoint.com/us/products/security-awareness-training
Email Gateway:
Barracuda https://www.barracuda.com/products/email-protection/email-security-gateway
Proofpoint https://www.proofpoint.com/us/threat-reference/email-gateway
SOC:
CyberConvoy MDR (managed detection and response): https://cyberconvoy.com/
Sources:
Highmark. (2023, February 6). Highmark notifies members about data breach. highmark.com. Retrieved February 21, 2023, from https://www.highmark.com/newsroom/press-releases/highmark-notifies-members-about-data-breach
Office of the Maine Attorney General. (2023a, February 3). Office of the Maine AG: Consumer Protection: Privacy, Identity Theft and Data Security Breaches. maine.gov. Retrieved February 21, 2023, from https://apps.web.maine.gov/online/aeviewer/ME/40/list.shtml
Office of the Maine Attorney General. (2023b, February 3). Office of the Maine AG: Consumer Protection: Privacy, Identity Theft and Data Security Breaches. maine.gov. Retrieved February 21, 2023, from https://apps.web.maine.gov/online/aeviewer/ME/40/67bb2ced-9a70-4248-b728-68a92a56c860.shtml
Webster, T. (2019, June 11). Highmark Place Skyscraper (Fifth Avenue Place Tower), Pittsburgh. flickr.com. https://www.flickr.com/photos/diversey/48069231343