420,433 Individuals Impacted by Data Breach at Health Plan of San Joaquin

by

Health Plan of San Joaquin (HPSJ) has revealed that an unauthorized actor obtained access to its email databases and  may have been able to infiltrate private data.

The breach was first suspected close to October 12, 2020 when suspicious behaviour was noticed on the email system. HPSJ – A non-profit Medi-Cal managed care provider based in French Camp, CA –  discovered on October 23, 2020 that a number of different staff email accounts had been remotely accessed by an unauthorized actor. A password reset was conducted on all impacted email accounts to prevent additional access being performed. The HIPAA breach review identified evidence of unpermitted access to email accounts at different points in time from September 26, 2020 to October 12, 2020.

Once it is discovered that an email database has been infiltrated, all emails in the impacted accounts must be reviewed to see if there was any private or protected data present, a task that can take a substantial amount of time. On this occasion, a programmatic and manual review had to be completed. Once it was completed it was estimates that the breach could have compromised the email accounts that held the protected health information of 420,433 people.

The additional time that it took to distribute the breach notification letters was caused by the time it took to complete the review and list PHI held in the email accounts. Along with this, more time was needed to review internal records to collate current contact information for those individuals to allow notification letters to be issued. That process has only recently been finished and breach notification letters were first sent to impacted people on May 18, 2021.

The range of PHI held in the impacted accounts incorporated names, addresses, and Social Security data. While unauthorized email account access was discovered there was no evidence uncovered to suggest that there had been any improper use of PHI. However, as a precautionary step, all those who may have had their PHI infiltrated have been asked if they would like to avail of a free one-year subscription to credit monitoring services through Equifax.