The Commonwealth of Kentucky Personnel Cabinet submitted a report on two data breaches which happened in late April and in May. The attacks resulted in the compromise of the protected health information (PHI) of approximately 1,000 members of the Kentucky Employees’ Health Plan.
The first cyberattack happened sometime between April 21 and April 27. While the following attack happened in May. The two incidents were brought about by attackers who used stolen credentials to get account access.
In the first breach, the attacker used valid credentials to log in to the StayWell systems. As a third-party vendor, StayWell manages a well-being and rewards portal for Kentucky Employees’ health plan members.
Plan members use the website to take care of their health and enjoy life at the same time. Plan members perform certain activities to reach their health targets and when they do, they get reward points that can be redeemed for gift cards.
When StayWell, the Kentucky Personnel Cabinet and the Commonwealth Office of Technology learned about the first cyberattack, they launched an investigation. According to the results of the investigation, the attackers who accessed the portal were unable to view highly sensitive data. The portal contained PHI such as addresses, Social Security numbers, and birth dates, which identity thieves often use in their scams. Nonetheless, the attackers got access to biometric screening information and health assessment details. In addition, the attackers stole the rewards points of members and swapped them for gift cards. The hackers collected rewards points worth $100,000 belonging to 971 people.
StayWell implemented some security upgrades after the first breach; in spite of this, the attackers did it again and hacked 42 plan members’ government email accounts. They redeemed the plan members’ accumulated rewards points and got gift cards worth $7,700.
StayWell reported that the subsequent data breach was connected to the first attack. It looks like the culprit was the reuse of a password. Several plan members had set similar passwords for the website as well as their email accounts. As a result, the hackers succeeded in accessing their email accounts.
The occurrence of the second breach is a reminder for us not to use the same passwords on various accounts and web portals. It is a must to use strong passwords always to keep hackers from quickly guessing account passwords. Use different strong passwords on each system or site account. It may be helpful to use password managers to ensure setting strong passwords, but it is also necessary to use a strong password on password managers.
StayWell stated that it is attending to further security upgrades and it required all affected members to specify stronger, unique passwords. The Personnel Cabinet will additionally provide information, applications, and training for government personnel and other customers of the StayWell system to improve security.