Getty Images

Health Plan Email Phishing Attack Exposes Student PHI

A Microsoft Office 365 email phishing attack exposed students' PHI.

A student health insurance plan, which provides services to over 230 higher education institutions nationwide, is the victim of an email phishing attack that led to the breach of students’ protected health information (PHI.) 

On August 4, Academic HealthPlans, Inc. (AHP) published a data incident notification, alerting students to the cyberattack.  

After an investigation, “AHP determined that an email phishing attack that targeted AHP employees may have resulted in unauthorized access to emails and attachments in the two employees’ email accounts,” the notice states. “Although no evidence was found during the investigation that indicated that any emails in the employees’ accounts were in fact acquired or accessed, AHP could not rule out that possibility.” 

 AHP concluded its investigation on June 4 and determined the phishing incident occurred between August 6, 2020 and August 24, 2020 and again on October 2, 2020. 

“The investigation confirmed that the unauthorized access was limited to AHP’s cloud-based, Microsoft Office 365 email system and did not involve AHP’s enrollment waiver platform or any other AHP systems,” the notice states.   

After an extensive review, “AHP then correlated the results of this data review with its files to identify the health plans and self-insured universities associated with the information.” 

The review determined that the emails contained information about students, including names,  dates of birth, Social Security numbers, health insurance member numbers, claims information, and diagnoses and treatment information.  

AHP started mailing notification letters to impacted individuals on July 20, according to the notice. 

Students impacted by this data breach are eligible for free credit monitoring and identity theft protection services. Impacted individuals can call the dedicated call center at 855-545-2003, Monday through Friday, between 8:00 am and 5:30 pm, CT.  

“We recommend that members whose information may have been involved in this incident review the explanation of benefits received from their health insurer,” AHP states. “If they see services they did not receive, members should contact the insurer immediately. We deeply regret any inconvenience or concern this may cause.” 

AHP said it is working to prevent any similar incident from occurring in the future.  

That includes providing “extensive training to its employees regarding phishing emails and other cybersecurity issues” and enhancing its existing cybersecurity measures, the notice concludes.  

Microsoft has issued a warning to its users regarding the Microsoft Office 365 phishing scheme. 

According to the Robinson+Cole law firm, the phishing scheme “is designed to use convincing emails, a legitimate looking SharePoint site, and ‘a crafty combination of legitimate-looking original sender email addresses, spoofed display sender addresses that contain the target usernames and domains, and display names that mimic legitimate services to try and slip through email filters.’” 

The scam emails are trying to “get users to believe they are being asked to join a secure SharePoint site by using SharePoint in the display name and poses as a site for bonuses, staff reports or other links that curious users may be duped into opening, which then navigates to the phishing page without the user’s knowledge,” according to a blog published by the law firm.  

Using multi-factor authentication and educating users about combatting phishing campaigns will help protect company data, the blog concludes.  

Next Steps

Dig Deeper on Cybersecurity strategies