Cyber Incident Victim: Academic HealthPlans

Academic HealthPlans, a broker contracted by UnitedHealthcare to administer student health insurance plans for universities, experienced a cybersecurity incident stemming from phishing attacks targeting its employees. Between August 6 and August 24, 2020, and again on October 2, 2020, attackers successfully compromised two employee email accounts. These accounts contained attachments with sensitive student information, including names and personal health data. The breach went undetected for nearly a year until Academic HealthPlans discovered unauthorized access on July 1, 2021. The compromised accounts were part of the broker’s cloud-based Microsoft Office email network, though the exact method of initial phishing delivery or attacker persistence mechanisms were not detailed in available reports. UnitedHealthcare later disclosed the incident to Maine’s attorney general office, confirming the exposure of 2,330 patients’ data through this breach.

Upon discovery, Academic HealthPlans initiated an investigation that confirmed unauthorized actors had accessed the email environment during the specified periods. The broker began notifying affected universities and students whose information resided in the email attachments. No evidence suggested misuse of the exposed health data, but the notifications aimed to inform individuals of potential risks. The incident highlighted a delayed detection timeline, with phishing compromises occurring in 2020 but remaining unidentified for approximately eleven months. Academic HealthPlans did not publicly disclose specific remediation steps beyond the investigation, though the breach underscored vulnerabilities in email-based data storage and the impact of successful phishing campaigns on third-party service providers in the healthcare sector.