Healthcare , Incident & Breach Response , Industry Specific

Insurance Broker Notifying 1.5 Million of Health Info Hack

California Firm Said August Attack Affected Clients' Data
Insurance Broker Notifying 1.5 Million of Health Info Hack
Insurance broker Keenan & Associates is notifying more than 1.5 million individuals about an August 2023 hacking incident that compromised personal and health information. (Image: Keenan & Associates)

A California insurance broker that handles employee benefits, workers' compensation and property liability is notifying more than 1.5 million individuals about a ransomware and data exfiltration attack last August that compromised health insurance information, passport numbers and Social Security numbers.

See Also: Cloud Analytics & Data Masking: Making the Most of Machine Learning on the Public Clouds

Torrance, California-based Keenan & Associates reported the hacking incident on Monday as affecting nearly 1.51 million individuals.

Keenan & Associates in a statement to Information Security Media Group said the data affected in the incident pertained "to certain clients and a limited number of employees."

Information potentially compromised in the incident includes individuals' names; birthdates; numerical identifiers such as Social Security, passport number and driver's license; health insurance information; and general health information.

The broker said that on Aug. 27 it had discovered certain disruptions occurring on some Keenan & Associates network servers. "Within hours of identifying the cybersecurity incident, we had contained it," the company told ISMG.

Keenan & Associates also notified the FBI.

An investigation determined that an unauthorized party had gained access to certain internal systems at various times for about a week, between Aug. 21 and Aug. 27.

Keenan & Associates declined ISMG's request for additional details about the incident, including the type of customers affected by the hack and whether the firm would report the breach to federal regulators as a HIPAA breach.

Depending upon the type of entity whose data was affected, the Keenan incident may or may not be considered a reportable HIPAA breach involving the compromise of protected health information. Information pertaining to an employee health plan would likely fall under the HIPAA banner, but workers' compensation or other kinds of casualty insurance might not, said an attorney who asked not be named.

Third-Party Risks

The attack on Keenan & Associates appears to be part of a trend that has plagued many other firms that provide critical services to healthcare sector and related entities, some experts said.

"Insurance companies, revenue cycle management firms, third party administrators, billing companies, and other business associates - they are being highly targeted," said Steve Cagle, CEO of privacy and security consultancy Clearwater.

These types of third-party services firms are falling victim to the same types of attacks hitting healthcare providers and related organizations directly, he said. "It's very similar techniques to what we're seeing across all industries."

The techniques include attacks involving ransomware, data exfiltration, social engineering and exploitation of IT vulnerabilities, Cagle said. "That continues to be a source of many attacks. There's been a very large number of vulnerabilities that have been exposed," he said.

Making matters even riskier is that many third parties, especially smaller firms, "might not be at the same level of maturity, and therefore they might have more vulnerabilities," he said. "They might have more exposures, plus they have a lot of data."

"All these firms really should be bolstering their security programs," Cagle said.

To help prevent a similar type of incident from occurring in the future, Keenan & Associates said it has implemented additional security protocols designed to enhance the security of its network, internal systems and applications. "Keenan will also continue to evaluate additional steps that may be taken to further increase our defenses."

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.