On July 26, 2024, United of Omaha Life Insurance Company reported a breached employee email account that exposed 107,894 individuals’ consumer information, including protected health information (PHI).
What happened
According to their website substitute notice, United of Omaha (a division of Mutual of Omaha) discovered the data breach on April 23, 2024, after noticing unusual activity in an employee's email account. The breach was traced to a phishing campaign that targeted United of Omaha employees.
More specifically, the breach occurred between April 21 and April 23, 2023, and included names, Social Security numbers, addresses, dates of birth, driver’s license numbers, employment details, and health information.
United of Omaha has since reset passwords hired cybersecurity specialists, reported the fraudulent domain, and re-training all employees on how to identify and report phishing campaigns.
Furthermore, data breach notification letters were sent to affected individuals on July 26, 2024.
What was said
Their website substitute notice states, “The attack did not compromise the security of any other systems or networks and did not affect United of Omaha’s ability to conduct business.”
However, the company urges affected individuals to:
- “Enroll in complimentary identity monitoring and identity protection services.
- Regularly monitor insurance statements as well as bank statements, credit reports, and tax returns to check for unfamiliar activity.
- [Report] suspicious activity [to their] financial institution or credit reporting agency.”
In the know
Phishing is a cyberattack where attackers impersonate legitimate entities to deceive individuals into disclosing sensitive information, like passwords or financial details. The attackers usually send fraudulent emails with links to websites running malicious code or to download and install malware.
Why it matters
As phishing tactics evolve, they exploit perceived sender legitimacy, personal habits, emotional triggers, and overreliance on security tools, making it more difficult for individuals to discern fraudulent emails from legitimate ones.
Healthcare organizations, in particular, are vulnerable to these attacks because of the volume of protected health information (PHI) they handle and the potential for security fatigue.
Related: Why people still fall for phishing attacks in 2024
The bottom line
Covered entities like United of Omaha must use a HIPAA compliant emailing platform, such as Paubox, which incorporates threat detection technologies to identify and block phishing emails before they reach the inbox.
In addition, covered entities should regularly train employees on recognizing and responding to potential security threats.
FAQs
Does HIPAA apply to phishing attacks in healthcare?
Yes, phishing attacks in healthcare fall under Health Insurance Portability and Accountability Act (HIPAA) regulations. Phishing attacks compromising the privacy and security of protected health information (PHI) can lead to severe penalties, including fines and reputational damage.
Who needs to comply with HIPAA?
HIPAA compliance is required for covered entities, such as healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates who handle PHI.
Can covered entities send attachments via HIPAA compliant emails?
Yes, Paubox email automatically encrypts attachments, like PDFs and documents, mitigating the risk of potential data breaches.
