Gold Coast Health Plan said about 37,000 clients’ health information may have gotten into crooks’ hands due to a data breach.
Potentially affected by the breach are clients whose claim information was sent by email. The data included health plan ID numbers, dates of medical service, and in some cases, names, dates of birth, and medical procedure codes, Gold Coast said in a news release.
The attackers did not gain access to clients’ Social Security numbers or financial information, according to Gold Coast, a publicly funded entity that administers Medi-Cal health insurance to nearly 200,000 low-income residents of Ventura County.
Not all of those affected had the same information breached, the agency’s public relations manager, Susana Enriquez-Euyoque, said. For some, only one element was disclosed, she said, while others had two or more items compromised.
Those affected by the breach, totaling about 37,000 people, will be notified by mail, Enriquez-Euyoque said.
Officials with the health plan believe the attackers were trying to fraudulently transfer Gold Coast funds to their account. Gold Coast, however, said it is not aware that any misuse or attempted misuse of the information has occurred.
Gold Coast urged those affected to check their credit reports and look for suspicious medical bills. Gold Coast said it is offering identity theft protection services through ID Experts and providing affected clients with MyIDCare.
The data breach was linked to a phishing email attack, according to Gold Coast. In such an attack, hackers often send a fake link that appears to be tied to a legitimate site. When the victim clicks on the link, data can be compromised.
The attack compromised one employee’s email account, giving the attacker access to emails sent to the account between June 18 and Aug. 1, Gold Coast said.
Gold Coast said that when the problem was discovered on Aug. 9, it halted the attack, notified law enforcement authorities, disabled the compromised account, required a password change, maintained heightened monitoring, had a cybersecurity firm assess the problem, improved information security, and worked on educating employees about security issues, with an expanded focus on phishing emails.