On July 26, 2024, United of Omaha Life Insurance Company reported a breached employee email account that exposed 107,894 individuals’ consumer information, including protected health information (PHI).
According to their website substitute notice, United of Omaha (a division of Mutual of Omaha) discovered the data breach on April 23, 2024, after noticing unusual activity in an employee's email account. The breach was traced to a phishing campaign that targeted United of Omaha employees.
More specifically, the breach occurred between April 21 and April 23, 2023, and included names, Social Security numbers, addresses, dates of birth, driver’s license numbers, employment details, and health information.
United of Omaha has since reset passwords hired cybersecurity specialists, reported the fraudulent domain, and re-training all employees on how to identify and report phishing campaigns.
Furthermore, data breach notification letters were sent to affected individuals on July 26, 2024.
Their website substitute notice states, “The attack did not compromise the security of any other systems or networks and did not affect United of Omaha’s ability to conduct business.”
However, the company urges affected individuals to:
Phishing is a cyberattack where attackers impersonate legitimate entities to deceive individuals into disclosing sensitive information, like passwords or financial details. The attackers usually send fraudulent emails with links to websites running malicious code or to download and install malware.
As phishing tactics evolve, they exploit perceived sender legitimacy, personal habits, emotional triggers, and overreliance on security tools, making it more difficult for individuals to discern fraudulent emails from legitimate ones.
Healthcare organizations, in particular, are vulnerable to these attacks because of the volume of protected health information (PHI) they handle and the potential for security fatigue.
Related: Why people still fall for phishing attacks in 2024
Covered entities like United of Omaha must use a HIPAA compliant emailing platform, such as Paubox, which incorporates threat detection technologies to identify and block phishing emails before they reach the inbox.
In addition, covered entities should regularly train employees on recognizing and responding to potential security threats.
Yes, phishing attacks in healthcare fall under Health Insurance Portability and Accountability Act (HIPAA) regulations. Phishing attacks compromising the privacy and security of protected health information (PHI) can lead to severe penalties, including fines and reputational damage.
HIPAA compliance is required for covered entities, such as healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates who handle PHI.
Yes, Paubox email automatically encrypts attachments, like PDFs and documents, mitigating the risk of potential data breaches.