Recently, Benefit Plan Administrators, Inc. confirmed that the company experienced a data breach after an unauthorized party gained access to the company’s computer network and the sensitive consumer data contained on the network. According to the BPA, the breach resulted in the full names, Social Security numbers, addresses, dates of birth, gender classification, claims information, medication information, and medical diagnosis/conditions information being compromised. On June 15, 2022, BPA filed an official notice of the breach and sent out data breach letters to all affected parties.

If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Benefit Plan Administrators data breach, please see our recent piece on the topic here.

What We Know About the Benefit Plan Administrators Data Breach

According to an official notice filed by the company, Benefit Plan Administrators detected a network security breach on an unknown date. While the company did not disclose the exact day it discovered the breach, it confirmed that, in response, it commenced a prompt and thorough investigation in consultation with outside cybersecurity professionals.

On March 15, 2022, as a result of this investigation, BPA learned that the incident involved an unauthorized party accessing and potentially removing certain files from the company’s network.

Upon discovering that sensitive consumer data was accessible to an unauthorized party, Benefit Plan Administrators then reviewed the affected files to determine exactly what information was compromised. While the breached information varies depending on the individual, it may include your full name, Social Security number, address, date of birth, gender classification, claims information, medication information, and medical diagnosis/conditions information.

Evidently, the breached data pertained to individuals associated with Alpha Natural Resources Non-Union VEBA Trust and Williamson Employment Services, Inc. BPA is classified as a Business Associated of each of these organizations.

On June 15, 2022, Benefit Plan Administrators sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident. BPA subsequently provided notice to various state agencies, as required by state and federal law.

More Information About Benefit Plan Administrators, Inc.

Benefit Plan Administrators, Inc. is a company that serves as a third-party administrator of self-insured benefit plans. BPA is based in Roanoke, Virginia, and was founded in 1965. The company works with public and private employers to create customized health benefit plans. BPA primarily arranges for clients to receive care through Cigna, First Health, and Prime Health Services; however, BPA also facilitates care through contracting directly with certain hospitals. Benefit Plan Administrators employs more than 43 people and generates approximately $10 million in annual revenue.

What Is Protected Health Information and Why Is It So Important?

The Benefit Plan Administrators data breach affected a wide range of patient data. While the company did not use the term “protected health information” in its letter to the affected parties, based on the company’s disclosures, the breach resulted in protected health information being leaked.

Protected health information refers to identifying information relating to a patient’s health condition. It also includes data related to how a patient pays for their healthcare, such as insurance information. However, for data to be considered protected health information, it must contain at least one identifier. An identifier is an additional piece of data that hackers can use to identify a patient. Some of the most common identifiers include:

• Account numbers;

• Any geographical identifier more specific than a state;

• Biometric identifiers, including fingerprints;

• Dates of treatment;

• Email addresses;

• Fax numbers;

• Full name, or a last name with an initial;

• Full-face images or other identifying photographs;

• Medical record numbers;

• Phone numbers; and

• Social Security numbers.

The result is that when protected health information is exposed, it means that a hacker or other bad actor can use the data to identify the patient with little to no effort. While this is certainly alarming, the real problems with healthcare data breaches are not obvious to most.

The consequences of a healthcare data breach can be severe. For example, by obtaining protected health information, a hacker has enough information to steal the patient’s identity. However, healthcare identity theft is typically harder to resolve and comes at a far greater cost to patients than traditional data breaches that impact only Social Security numbers and financial information.

Aside from the typical risks of fraud and unauthorized transactions, healthcare data breaches put patients’ physical health at risk. For example, if a hacker sells a patient’s data to a third party, the third party can then use the information to obtain medical care in the patient’s name. In the course of receiving treatment, the “fake patient” may provide physicians with information about themselves that ends up in your medical record. For example, a fake patient may give a surgeon a list of their allergies, previous procedures, or medications that do not comport with the real patient’s medical history. This can result in a patient’s medical record containing inaccurate information.

Healthcare data breaches pose very real risks, and those who fall victim to such a breach should be sure to take the necessary steps to protect themselves.