Paubox blog: HIPAA compliant email made easy

The Terteling Co., Inc., Group Benefit Plan suffers HIPAA email breach

Written by Arianna Etemadieh | July 19, 2018

On July 6, 2018, Terteling Company, Inc. submitted a  HIPAA Email Breach to the  U.S. Department of Health and Human Services (HHS). Located in Boise, Idaho, Terteling Company's email breach affected  4,824 individuals’  protected health information. Terteling Company, Inc. is classified as a Health Plan.

According to their press release: …the Terteling Company, Inc. announced that its family of businesses experienced a cybersecurity incident May 1-10, 2018, that might have resulted in unauthorized access to some employee information.

This incident – which involved a phishing email attack – affected the Terteling Company, Western States Equipment Company, Agri-Service, the 36th Street Garden Center and Bistro, and Red Horse Mountain Ranch (which was previously affiliated with the Terteling Company) (together, the “Companies”). The email attack might have also resulted in unauthorized access to the information of some customers of Western States Equipment Company.

The phishing email, which had the appearance of a legitimate email from an employee, was actually from a hacker, who leveraged it to access some of the Companies’ email files. Although it is unknown whether a hacker actually accessed business emails, the Companies are proceeding with caution and treating this incident as though unauthorized access was obtained.

The categories of information that might have been accessible through this incident consist of employee payroll and personal benefit data, including information pertaining to participation in the Companies’ health plan.

This data includes: names, Social Security numbers, home addresses, birth dates, earnings amounts, health plan ID numbers, and, in some instances, driver’s license numbers and business-issued credit cards. Additionally, some email communications regarding health plan participation, coverage, or claims (including information concerning diagnoses, medications, procedures, treatment dates, and payments sought and paid) were potentially exposed in this incident. The customer information that might have been accessible as a result of this incident involves personal information submitted to Western States Equipment Company, including names, home and business addresses, Social Security numbers, and, in some instances, driver’s license numbers and credit card numbers.

On May 1, business IT managers learned of the phishing email and removed it from the network. After several days of investigation, they determined, on May 9, that the phishing 2 email might have been sent due to a business network intrusion by an external threat.

On May 10, they contained the external threat by restricting network access and requiring all users to reset their passwords. The Companies promptly engaged cybersecurity consultants and forensic investigators to analyze and understand the incident and to protect the private information of employees and customers.

The Companies have also notified law enforcement of the incident and continue to work with them.

“We deeply regret the incident and want to extend our apologies to and express our concern about those potentially affected by this incident,” said Tom Terteling, President and CEO of the Terteling Company. “We apologize to our current and former employees, their dependents, and our customers, for both the concern and frustration this incident may cause. We are conducting a thorough review of our data privacy and security policies and procedures to reduce the risk of future incidents, and we plan to provide additional training to all of our employees in an effort to prevent any future incidents.”

 

HHS Wall of Shame

 

The  HHS Wall of Shame is a website under the jurisdiction of HHS that lists all HIPAA breaches reported within the last 24 months. The Wall of Shame displays breaches that are currently under investigation by the Office for Civil Rights. As part of section 13402(e)(4) of the HITECH Act, the HHS Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals.

 

HIPAA Breach Report

 

The  Paubox HIPAA Breach Report analyzes breaches that affected 500 or more individuals as reported in the HHS Wall of Shame.

 

Try Paubox Email Suite for FREE today.