Bodybuilding.com Data Breach Impacted PHI of 3,193 Employees and Dependents

The owner of Bodybuilding.com, a website on bodybuilding and personal fitness, announced a security incident that potentially resulted in the access of customer and employees information by unauthorized people.

Under HIPAA, this type of breach affecting customers is not a reportable ıncident. But HIPAA actually covers group health plans. Therefore, bodybuilding.com had to report the PHI breach of group members to the Office for Civil Rights.

Bodybuilding.com discovered the breach in February 2019 because of suspicious activity found on its network. An official breach investigation was made which showed that its network was accessed as a result of an employee who fell for a phishing scam.

Although it is believed that the data of its customers and staff were not acquired by unauthorized people due to the phishing attack, its possibility could not be totally ruled out.

Bodybuilding.com already resolved the breach and secured its systems. All website users’ passwords were subjected to a forced reset as a precaution. For customers, the information possibly obtained included names, email addresses, addresses, telephone numbers, birth dates, profile details, order records, billing and shipping information, and communications with the company.

Current and past employees of the Idaho fitness shop who are the company’s group health plan members had some of their employment-related details exposed. The breach likewise affected enrollees’ beneficiaries and dependents. The exposed data included names, telephone information, dates of birth, Social Security numbers, government ID numbers, group health plan subscriber data, claims data, and procedure codes.

The investigation of the breach ended on April 19, and all affected employees were notified regarding the PHI exposure as a precaution. No report was received concerning misused data to date.

The breach summary was recently posted on the Department of Health and Human Services’ Office for Civil Rights breach portal, which states 3,193 current and past employees, dependents, and beneficiaries were affected by the breach.