The Commonwealth of Kentucky Personnel Cabinet has reported two data breaches that happened from late April to Early May. Because of the attacks, the protected health information (PHI) of about 1,000 members of the Kentucky Employees’ Health Plan was compromised.
The initial attack happened from April 21 to April 27 and a subsequent attack happened in mid-May. In the two incidents, the attackers made use of stolen information to access the accounts.
In the initial attack, valid credentials were employed to access the StayWell systems. StayWell is a third-party vendor managing a well-being and incentive website for its health plan members.
Using the website, plan members can look after their health and enjoy healthier ways of life. Plan members who satisfy their health targets by doing particular activities and challenges get reward points that could be traded for gift cards.
StayWell, the Commonwealth Office of Technology and the Kentucky Personnel Cabinet detected the first cyberattack and investigated it. The investigators confirmed that during the time the attackers accessed the portal, the attackers did not view highly sensitive data like Social Security numbers, birth dates, and addresses, which are the kinds of information frequently used by identity thieves. Nevertheless, the attackers had accessed biometric screening data and health assessment information. The attackers also accessed the redeemable points accumulated by members and exchanged them for gift cards. The hackers were able to redeem about $100,000 worth of points. The first breach affected 971 people.
StayWell applied a number of security improvements following the initial attack; then again, the attackers struck once again and accessed 42 plan members’ government email accounts and fraudulently redeemed their accumulated points to get $7,700 worth of gift cards.
StayWell stated that the second data breach happened because of the first attack and it seems to be because of password reuse. A number of plan members use the same password for both the website and their government email accounts. Therefore, hackers were able to access their email accounts.
The second breach reminds us of the risk of reusing passwords on several accounts and websites. Strong passwords must always be used to stop hackers from easily guessing passwords. Different strong passwords must be used on every system or account. Password managers are handy for keeping strong passwords, however, it is important that a really strong password is used for password managers.
StayWell mentioned it is taking care of additional security improvements and has asked all impacted members to set stronger, distinct passwords. The Personnel Cabinet is going to create information, tools, and training for state employees and other consumers of the StayWell system to better security.