Physicians Insurance A Mutual Company reported a security incident affecting the personal information for some third-party contractors and the health information for some of its insureds’ patients.
“Although we have no evidence to suggest that any personal information has been misused, we are providing notice in an abundance of caution, so that potentially affected individuals may take steps to protect their information should they feel it is necessary to do so,” a statement from the Washington-based insurer states.
On March 2, Physicians Insurance identified unauthorized access to an employee’s work email account by an unknown third party.
According to the company, it immediately shut down the mailbox and reset employee passwords, which terminated the access. The company also initiated an investigation and hired third-party cybersecurity experts to assist in investigating the source and scope of the activity.
“We subsequently determined that the access was isolated to a single user’s email account, and only lasted roughly an hour on March 2, 2023 before that access was terminated,” the company statement reads. “We did not find any evidence to indicate that any emails or attachments were exported from the user’s email account, but we have not been able to confirm whether the files that contained personal information were accessed or viewed by the third party. Therefore, we cannot say with certainty if any of the personal information in those files was accessed or viewed. Nevertheless, we are providing notice in an abundance of caution.”
Their investigation determined that an unknown third party may have accessed select files containing certain information for the healthcare providers insured by or utilizing the company’s third-party claims administrator services, potentially impacting third-party contractors, patients of those healthcare providers, and individuals associated with those patients, according to the company.
For patients and individuals associated with those patients, the following types of information were present in the email account: full name, date of birth, contact information, medical treatment information, health insurance information and Social Security number. For third-party contractors, the following types of information were present in the email account at issue: date of birth, Social Security number, driver’s license number, and financial account information (such as bank account and routing number but not any security or access code related to that account), according to the company.
“We have security measures in place that allow us to take prompt action against attempted intrusions into our systems,” the statement reads. “Those measures were implemented here and reduced the scope of the third party’s activity. We also hired third party experts to address this situation, perform an investigation into the unauthorized activity, and further secure our systems to help protect the information we maintain. We are also working on directly notifying impacted individuals.”
Topics Carriers Washington Data Driven
Was this article valuable?
Here are more articles you may enjoy.