IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Two Data Breaches Hit Kentucky Employees’ Health Plan

An investigation determined that while the attacker was unable to access important financial and personal information on the portal, they were able to view biometric screening and health assessment data.

(TNS) — Nearly a thousand members of Kentucky Employees’ Health Plan (KEHP) were victims of a data breach that took place in late April and mid-May, according to a statement released by the Commonwealth of Kentucky Personnel Cabinet on June 2.

During the first attack, from April 21 to 27, 971 KEHP members accounts were accessed by a “bad actor” who used valid login information to infiltrate StayWell, a third-party vendor utilized by KEHP members for their well-being and incentive portal.

This portal offers financial rewards for completion of certain challenges and goals in order to promote a healthier lifestyle among members.

After investigation by the Commonwealth Office of Technology, the Personnel Cabinet and the StayWell IT team, it was determined that while the attacker was unable to access important financial and personal information on the portal, such as birthdays, Social Security numbers or addresses, they were able to view biometric screening and health assessment data.

They were also able to redeem points that members had accumulated on the platform in the form of gift cards. Russell Goodwin, executive director for the Personnel Cabinet, said that this fraudulent gift card redemption amounted to a total of $100,000.

The investigation determined that this “bad actor” was able to get access to valid logins from an external site outside of the StayWell system. To their knowledge, the attacker was an outsider with no previous connection to StayWell, Goodwin said.

After the first attack, StayWell took its site down in order to “introduce new security enhancements,” according to the website.

The second data breach, occurring from May 12 to 22, was a direct result of the first. StayWell estimates that 42 of the original 971 targeted members also had their Commonwealth email accounts infiltrated in the second attack, Goodwin said.

An additional $7,700 in fraudulent gift card redemptions resulted from this.

According to the Personnel Cabinet’s statement, these accounts were likely vulnerable to the second attack due to repeat password usage across both platforms.

In response to these attacks, StayWell sent communications to the affected members informing them of the incident and encouraging them to both use strong passwords and avoid recycling them across programs and websites. They are also working to implement several additional security measures for their users.

“The Personnel Cabinet will take some steps in the near future to inform state employees as well as other members of the StayWell platform,” Goodwin said. “Some steps that they can take, as well as some tools and resources and trainings that will be available to take advantage of to protect themselves, to ensure that these type of data incidents never occur again.”

©2020 the Lexington Herald-Leader (Lexington, Ky.) Distributed by Tribune Content Agency, LLC.

Special Projects
Sponsored Articles
  • How the State of Washington teamed with Deloitte to move to a Red Hat footprint within 100 days.
  • The State of Michigan’s Department of Technology, Management, and Budget (DTMB) reduced its application delivery times to get digital services to citizens faster.

  • Sponsored
    Like many governments worldwide, the City and County of Denver, Colorado, had to act quickly to respond to the COVID-19 pandemic. To support more than 15,000 employees working from home, the government sought to adapt its new collaboration tool, Microsoft Teams. By automating provisioning and scaling tasks with Red Hat Ansible Automation Platform, an agentless, human-readable automation tool, Denver supported 514% growth in Teams use and quickly launched a virtual emergency operations center (EOC) for government leaders to respond to the pandemic.
  • Sponsored
    Microsoft Teams quickly became the business application of choice as state and local governments raced to equip remote teams and maintain business continuity during the COVID-19 lockdown. But in the rush to deploy Teams, many organizations overlook, ignore or fail to anticipate some of the administrative hurdles to successful adoption. As more organizations have matured their use of Teams, a set of lessons learned has emerged to help agencies ensure a successful Teams rollout – or correct course on existing implementations.