The Commonwealth of Kentucky Personnel Cabinet has revealed that two data breaches took place between late April and Early May. The attacks lead to the exposure of the protected health information of approximately 1,000 members of the Kentucky Employees’ Health Plan.
The first attack took place between April 21 and April 27 and a second was conducted in mid-May. In both cases, the hackers used stolen credentials to obtain access to accounts.
In the first attack, legitimate details were used to obtain access to StayWell systems. StayWell is a third-party vendor that manages a well-being and incentive portal for health plan subscribers.
Via the portal, plan members are able to manage their health and lead healthier lifestyles. Plan members who meet their health goals by carrying out certain actions and challenges are rewarded with points that can be exchanged for gift cards.
The first cyberattack was detected and reviewed by StayWell, the Commonwealth Office of Technology, and the Kentucky Personnel Cabinet. It was determined that while the hackers obtained access to the portal, they were not able to access highly sensitive information such as Social Security numbers, dates of birth, and addresses – the range of information commonly sought by identity thieves; however, the attackers were able to biometric screening information and health assessment data. The hackers were also able to access redeem points that had been accumulated by members, which were exchanged for gift cards. The hackers fraudulently redeemed around $100,000 of points. 971 individuals were affected by the initial breach.
StayWell put in place several security enhancements after the first attack; however, the hackers struck again and gained access to the government email accounts of 42 plan members in the more recent attack and used accumulated points to fraudulently steal $7,700 in gift cards.
According to StayWell, the second data breach was possible due to the first being successful and appears to have been due to password reuse. Specific plan members had used the same password for the portal as they did for their government email accounts, which allowed the hackers to access the email accounts.
The second breach acts as a reminder about the danger of reusing passwords on multiple accounts and platforms. Strong passwords should always be implemented to prevent passwords from easily being guessed, and unique strong passwords should be set on every platform or account. Password managers are important for storing strong passwords, but it is vital that a very strong password is set as the password manager master password.
StayWell said it is adding more security enhancements and has requested all impacted members set stronger, unique passwords. The Personnel Cabinet will make resources, tools, and training available to allow state employees and other users of the StayWell platform enhance security.