The Commonwealth of Kentucky Personnel Cabinet on June 2 announced that its state health plan suffered two cyberattacks in April and May, exposing the health information of 971 members and resulting in fraudulent gift card redemption of more than $107,000, according to the Lexington Herald Leader.
During the first attack, from April 21-27, a "bad actor" used valid login information to access the Kentucky Employees' Health Plan's well-being and incentive portal, which is powered by third-party vendor StayWell. The portal encourages members to live a healthier lifestyle by offering financial rewards for completing certain health challenges and goals.
An investigation by the Commonwealth Office of Technology, the Personnel Cabinet and the StayWell IT team revealed that the attacker was unable to access financial and personal information on the portal, such as Social Security numbers, birthdays and addresses. However, they were able to access health assessment data and biometric screening as well as redeem points that members had accumulated on the platform in the form of gift cards, resulting in fraudulent redemption of $100,000 in gift cards.
StayWell took the site down after the first attack to implement new security enhancements, but it was breached again from May 12-22 as a direct result of the first breach. Staywell said that about 42 of the original 971 affected members also had their government email accounts hacked in the second attack, which resulted in another $7,700 in fraudulent gift card redemptions.
StayWell informed the affected members of the incident and requested they use stronger passwords and not recycle them across different programs and websites. The company said it is also working to add several new security measures for their users, according to the report.