Two Data Breaches Hit Kentucky Employees’ Health Plan

An investigation determined that while the attacker was unable to access important financial and personal information on the portal, they were able to view biometric screening and health assessment data.

by Sarah Michels, Lexington Herald-Leader / June 4, 2020
Shutterstock/BEST-BACKGROUNDS

(TNS) — Nearly a thousand members of Kentucky Employees’ Health Plan (KEHP) were victims of a data breach that took place in late April and mid-May, according to a statement released by the Commonwealth of Kentucky Personnel Cabinet on June 2.

During the first attack, from April 21 to 27, 971 KEHP members accounts were accessed by a “bad actor” who used valid login information to infiltrate StayWell, a third-party vendor utilized by KEHP members for their well-being and incentive portal.

This portal offers financial rewards for completion of certain challenges and goals in order to promote a healthier lifestyle among members.

After investigation by the Commonwealth Office of Technology, the Personnel Cabinet and the StayWell IT team, it was determined that while the attacker was unable to access important financial and personal information on the portal, such as birthdays, Social Security numbers or addresses, they were able to view biometric screening and health assessment data.

They were also able to redeem points that members had accumulated on the platform in the form of gift cards. Russell Goodwin, executive director for the Personnel Cabinet, said that this fraudulent gift card redemption amounted to a total of $100,000.

The investigation determined that this “bad actor” was able to get access to valid logins from an external site outside of the StayWell system. To their knowledge, the attacker was an outsider with no previous connection to StayWell, Goodwin said.

After the first attack, StayWell took its site down in order to “introduce new security enhancements,” according to the website.

The second data breach, occurring from May 12 to 22, was a direct result of the first. StayWell estimates that 42 of the original 971 targeted members also had their Commonwealth email accounts infiltrated in the second attack, Goodwin said.

An additional $7,700 in fraudulent gift card redemptions resulted from this.

According to the Personnel Cabinet’s statement, these accounts were likely vulnerable to the second attack due to repeat password usage across both platforms.

In response to these attacks, StayWell sent communications to the affected members informing them of the incident and encouraging them to both use strong passwords and avoid recycling them across programs and websites. They are also working to implement several additional security measures for their users.

“The Personnel Cabinet will take some steps in the near future to inform state employees as well as other members of the StayWell platform,” Goodwin said. “Some steps that they can take, as well as some tools and resources and trainings that will be available to take advantage of to protect themselves, to ensure that these type of data incidents never occur again.”

©2020 the Lexington Herald-Leader (Lexington, Ky.) Distributed by Tribune Content Agency, LLC.

Looking for the latest gov tech news as it happens? Subscribe to GT newsletters.

Platforms & Programs