Health Plan of San Joaquin (HPSJ), which is a not-for-profit service provider of Medi-Cal managed care based in French Camp, CA, learned that an unauthorized individual has obtained access to its email system and likely viewed or obtained sensitive data.
HPSJ noticed a likely email breach on or approximately October 12, 2020 after identifying suspicious activity in its email system. The health plan provider affirmed on October 23, 2020 that an unauthorized person had remotely accessed a number of staff email accounts. A password reset was done on all affected email accounts to keep the hacker from further accessing the system. The investigation certified that the email account breach took place between September 26, 2020 and October 12, 2020.
After the email system breach, it is mandatory to analyze all emails in the breached accounts to know whether they include any sensitive details. That process may be very labor-intensive and may take a lot of time. In this case, a programmatic and painstaking manual check was necessary, which ascertained that the compromised email accounts contained 420,433 persons’ protected health information (PHI).
There was a delay in mailing the breach notifications because it took a long time to validate the inclusion of sensitive data in the email accounts. It also took a lot of time to analyze the internal records to know the present contact information of people impacted, which is necessary to deliver the notification letters. That process was recently completed and the provider began sending breach notification letters to affected men and women on May 18, 2021.
These types of data were identified in the compromised accounts: names, Social Security numbers, and addresses. Even though there was the certainty of unauthorized access of the email accounts, the provider did not receive any report that signifies the improper use of any PHI; nevertheless, as a security measure to prevent identity theft and fraud, affected persons whose Social Security numbers were compromised got free credit monitoring services membership at Equifax for one year.