Cyber Incident Victim: Bankers Life

On May 30, 2018, unauthorized third parties gained access to credentials belonging to a limited number of Bankers Life employees, initiating a security incident that persisted until September 13, 2018. The attackers used these compromised credentials to access certain company websites, potentially exposing personal information of policyholders and applicants. Bankers Life first detected the unauthorized activity on August 7, 2018, prompting immediate engagement with federal law enforcement and initiation of an internal investigation supported by an external forensics firm. The breach impacted 566,217 individuals according to a report filed with HHS under parent entity CNO Financial Group, Inc. Exposed data included names, addresses, dates of birth, insurance information (such as policy numbers, coverage types, premiums, service dates, and claim amounts), and partial Social Security numbers limited to the last four digits. For most affected individuals, the investigation confirmed no unauthorized access to complete Social Security numbers, driver's licenses, state IDs, financial account details, medical diagnoses, treatment plans, or prescription information. A small subset of victims received additional notifications confirming exposure of supplemental data categories not specified in the general disclosure. The attack vector centered on compromised employee email accounts that provided gateway access to internal systems containing protected health information and insurance records.

Bankers Life implemented containment measures including enhanced system access restrictions and monitoring protocols upon discovering the breach in August. The organization completed mass notifications by mail on October 25, 2018, aligning with regulatory requirements under HIPAA. Affected individuals received enrollment instructions for complimentary identity repair services and credit monitoring provided through ID Experts, accessible via a dedicated portal and enrollment codes included in notification packets. The company established a specialized call center operating from 5 am to 5 pm Pacific Time to address victim inquiries and facilitate service enrollment. Forensic investigators determined the attackers operated intermittently over the 106-day intrusion period, though the specific methods used to initially compromise employee credentials remained undisclosed. Security enhancements focused on restricting privileged system access while maintaining business operations throughout the investigation. Impacted insurance products included Medicare Supplement policies issued by Colonial Penn Life Insurance Company, a subsidiary entity referenced in customer communications. The breach disclosure emphasized that most victims' exposure was limited to demographic and insurance data rather than sensitive financial or medical information.