Bankers Life, a health insurance organisation which is part of the CNO Financial Group Inc., has experienced a data breach which has affected more than 500,000 of their customers.
Bankers Life, based in Chicago, Illinois, provides a range of insurance services to customers, including life insurance, long term care insurance, health insurance, and Medicare supplemental insurance to its customers. It is the largest division of CNO Financial Group, a financial services holding company.
In a news report about the breach posted on their website, Bankers Life stated that the breach was discovered on August 7, 2018, and it quickly informed federal law enforcement of the breach. Steps were taken to immediately restrict the access that the unauthorised individual had to their systems. Third-party computer forensics experts were brought in to help conduct the investigation into the breach and deal with the aftermath.
The investigation revealed that the unauthorised individual first gained access to Bankers Life’s systems between May 30 and September 13, 2018. It was determined that access to the system was gained using “improperly obtained” employee information to gain access to company websites.
Some customers were more adversely affected by the breach than others. Using these employee credentials, the hacker gained accessed to a ‘limited group’ of customers’ names, Social Security numbers, driver’s license numbers, bank account numbers, state identification numbers, medication information, diagnoses, and treatment information.
For the majority of customers, the protected health information (PHI) that may have been affected by the breach included names, addresses, dates of birth, insurance policy numbers, insurance type, premium amounts, dates of service, claim amounts, and the last four digits of Social Security numbers.
The details of how the hackers gained access to its systems has not been publicly disclosed. Investigators determined that approximately 566,217 people were affected by the breach. In accordance with HIPAA’s Breach Notification Rule for a breach of that magnitude, a breach report was submitted to the Department of Health and Human Services Office for Civil Right’s Breach Portal.
Bankers Life, with the assistance of external computer security firms, has now taken steps to restrict access to its systems. Security monitoring has been enhanced, and additional security procedures have now been implemented to prevent further breaches. The organisation has committed to taking measures to ensure that a breach of this nature is prevented from happening again.
The disclosure of the breach was delayed at the request of federal investigators. Affected customers are now being notified and have been offered free identity theft repair and credit monitoring services.
The Bankers Life data breach is the fifth largest healthcare data breach to be reported in 2018. Hacking/IT incidents are posing an ever-increasing threat to healthcare organisations, who often don’t have robust enough IT infrastructure to protect themselves against these attacks. The cost of implementing this strong security framework is monumental, and particularly insurmountable for small- to medium-level organisations. However, if a breach occurs and the organisation’s security framework is deemed inadequate by investigators, then the organisations faces having hefty fines levied against them for non-compliance with HIPAA.