Cyber Incident Victim: Healthfirst
Date:
Apr 2012
Location:
United States of America
Summary
Healthfirst experienced a data breach compromising personal and health information of approximately 5,300 current and former members due to unauthorized access by an individual involved in a criminal fraud scheme. The exposed data included names, addresses, dates of birth, health insurance details, member and patient identifiers, diagnosis codes, and government program IDs. The perpetrator accessed the organization's online portal over a multi-year period before being discovered through a Department of Justice investigation. In response, the provider initiated security enhancements to its portal and policies, notified affected individuals, and offered complimentary identity protection services while fulfilling regulatory reporting obligations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Healthfirst, a New York-based healthcare organization, discovered in 2013 that it had been targeted by a criminal fraud scheme, prompting immediate notification to the U.S. Department of Justice. The Department of Justice subsequently informed Healthfirst on May 27, 2015, that the individual responsible for the fraud might have stolen personal information belonging to approximately 5,300 current and former members through unauthorized access to Healthfirst’s online portal. Healthfirst conducted an internal investigation and confirmed on July 10, 2015, that the perpetrator had accessed sensitive data between April 11, 2012, and March 26, 2014. The compromised information included names, addresses, dates of birth, health insurance plan details, physician numbers, Healthfirst member ID numbers, patient ID numbers, claim numbers, diagnosis codes, Medicare ID numbers, Medicaid ID numbers, and descriptions of missing services. This combination of personally identifiable information (PII) and protected health information (PHI) exposed affected individuals to potential identity theft, insurance fraud, and medical identity theft risks. The breach specifically involved data extracted from Healthfirst’s online systems rather than physical records, indicating a digital intrusion method aligned with the portal compromise described by authorities.
In response to the incident, Healthfirst initiated a comprehensive review of its security policies, procedures, and online portal safeguards to prevent future unauthorized access. The organization began notifying all 5,300 impacted individuals via mailed letters and provided them with complimentary identity theft protection services, including one year of credit monitoring and identity restoration assistance. Healthfirst formally disclosed the breach through a public notification on its website dated July 24, 2015, and reported the incident to the U.S. Department of Health and Human Services (HHS) and other relevant regulators as required by law. The notification emphasized that the fraudulent activity had been identified through collaboration with federal investigators, though no specific technical details about the portal’s security vulnerabilities or the perpetrator’s exact methods were disclosed publicly. The two-year window of unauthorized access suggested prolonged exposure of member data before detection, with remediation efforts focused on securing digital systems and complying with regulatory reporting obligations following the Department of Justice’s findings.