Cyber Incident Victim: Capitol Administrators
Date:
Mar 2018
Location:
United States of America
Summary
A phishing incident compromised employee email accounts at Capitol Administrators, a third-party benefits administrator, potentially exposing sensitive member data from group health plans. Unauthorized access to emails and attachments may have included names, Social Security numbers, medical information, and health insurance details. The organization responded by securing affected accounts, initiating forensic investigations, and implementing enhanced security measures such as multi-factor authentication and employee training. Notifications were issued to potentially impacted individuals, accompanied by a dedicated call center for inquiries. While conclusive evidence of data misuse wasn't established, the possibility couldn't be ruled out, prompting these precautionary actions to mitigate future risks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On March 30, 2018, Capitol Administrators, Inc. (“Capitol”) identified a phishing email incident through a forensic investigation. The unauthorized access involved certain emails and attachments within a limited number of employee email accounts. Capitol immediately secured the compromised accounts upon detection and initiated an internal investigation to assess the breach’s scope. The organization engaged a leading cybersecurity firm to conduct a parallel forensic examination. Investigators confirmed the unauthorized actor accessed emails and attachments containing sensitive member information related to group health plans administered by Capitol. While the forensic analysis could not definitively confirm whether the attacker opened the attachments, investigators noted this possibility could not be eliminated. The compromised data included member names alongside combinations of Social Security numbers, medical information, and health insurance identification numbers. Capitol functioned as a third-party administrator for employer-sponsored health plans, processing claims and benefits data provided by clients, medical providers, and other entities. This operational role necessitated the storage of personally identifiable information and protected health data within its systems.
Capitol initiated individual notifications on May 11, 2018, advising potentially affected members of the breach. The organization established a dedicated call center operational Monday through Friday from 9:00 a.m. to 6:00 p.m. Eastern Time, directing individuals to contact 1-833-219-9090 if they suspected impact but had not received notification letters by May 28, 2018. In response to the incident, Capitol implemented multi-factor authentication across its network and email systems while upgrading its security infrastructure. The company also conducted enhanced employee training programs focused on phishing prevention and email security protocols. These measures aimed to reduce recurrence risks by addressing the initial attack vector exploited in the breach. Capitol publicly expressed regret regarding the incident but did not disclose the exact number of affected individuals or specific client organizations impacted. The compromised information originated from data shared with Capitol for claims processing and benefits administration services under its contractual agreements with employer-sponsored health plans.