Recently, AllOne Health Resources, Inc. confirmed that the company experienced a data breach after an unauthorized party gained access to sensitive consumer data contained on AllOne Health’s network. Evidently, AllOne Health discovered the breach after it realized it had wired money to a fraudulent bank account. This prompted the company to investigate the incident, which revealed that an unauthorized party had gained access to an employee’s email account. According to AllOne Health, the breach resulted in the names, addresses, dates of birth, driver’s license numbers, Social Security numbers, and health information of 13,669 individuals being made accessible to an unauthorized party. On July 15, 2022, AllOne Health filed an official notice of the breach and sent out data breach letters to all affected parties.
If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the AllOne Health Resources data breach, please see our recent piece on the topic here.
What Led to the AllOne Health Resources Data Breach?
According to an official notice filed by the company, in February 2022, AllOne Health’s finance department learned that several wire transfers were inadvertently sent to a fraudulently created bank account. Upon making this discovery, the company reported the fraud to the FBI and launched an internal investigation into the incident.
During this investigation, AllOne Health learned that an unauthorized party had gained access to an employee’s email account, which they used to perpetrate the fraud. This prompted the company to review all emails and attachments in the compromised email account to determine if any consumer data was also accessible to the unauthorized party.
After a thorough review of the employee’s email account, AllOne Health confirmed that an unauthorized party had access to the email account, which contained sensitive consumer data t. The investigation also determined that the unauthorized party had access to it. While the breached information varies depending on the individual, it may include your name, address, date of birth, driver’s license number, Social Security number, and health information. In total, the AllOne Health data breach is believed to have affected 13,669 people.
On July 15, 2022, AllOne Health Resources sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.
AllOne Health Resources, Inc. is an insurance company based in Wilkes-Barre, Pennsylvania. Founded in 1971, AllOne Health provides mental health and general health benefits to more than 1 million employees across the world. AllOne Health Resources employs more than 323 people and generates approximately $112 million in annual revenue.
Email-Based Cyber Attacks Continue to Plague U.S. Companies
It appears that AllOne Health was quite candid in how it discovered the recent data breach. However, one fact that the company left out is how the unauthorized party was able to access the email account containing the consumer data. Email-based cyber-attacks can occur in various ways; however, the most common way that hackers obtain login credentials to an employee’s email account is through phishing.
Phishing is a type of cyberattack that relies on principles of social engineering to trick an employee into providing the hacker with the information needed to access the company’s IT system. Phishing attacks start with the hacker sending a seemingly legitimate email; however, they are anything but legitimate. In most cases, hackers either request the email recipient to provide their login credentials or ask them to click on a malicious link.
After a cybercriminal gathers information through a phishing attack, they can use it to access the organization’s network, where all the sensitive information is stored. Often hackers will target companies they know will have valuable data that they can then sell or use to commit identity theft or other frauds, such as bank account numbers, credit card numbers, Social Security numbers or protected health information.
While a company is certainly one of the victims in the wake of a phishing attack, the real victims are those whose information is stolen in these cyberattacks. It is these individuals who must deal with the consequences of identity theft which, on average, takes months of work and hundreds of dollars to resolve.
Businesses are aware of phishing attacks and the threats that they pose to consumers. However, phishing attacks continue to be the most common—and most successful—type of cyberattack. It is imperative that businesses take the necessary steps to educate their employees about phishing. These attacks are preventable, and businesses are in the best position to prevent them.