Cyber Incident Victim: HBP Financial Services Group
Date:
Apr 2021
Location:
United States of America
Summary
A cybersecurity incident at HBP Financial Services Group involved unauthorized access to two email accounts via a phishing attack, with the attacker's objective focused solely on financial fraud against the organization. The compromised accounts potentially exposed personal information including names, addresses, dates of birth, account numbers, insurance details, and limited clinical data for individuals associated with a client entity, though no evidence indicated data exfiltration or misuse. The breach was contained within 24 hours through system security enhancements and forensic investigation, which confirmed no broader system compromise occurred. Social Security numbers were not affected, and the incident was reported to law enforcement authorities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On May 20, 2021, HBP Financial Services Group (HBP), serving as practice administrator for Pathology Consultants of New London, PC (PCNL), discovered unauthorized access to two corporate email accounts. The attacker had used these accounts to attempt financial fraud against HBP. The initial forensic investigation determined the compromise likely originated from a phishing attack, with the first unauthorized access occurring between April 30, 2021, and May 20, 2021. HBP immediately engaged an IT forensics firm to investigate the incident, secure systems, and implement additional protective measures. Within 24 hours of detection, the email system was secured, and investigators confirmed only the two email accounts were compromised—no other HBP systems were affected. The forensic analysis indicated the attacker’s sole objective was financial fraud targeting HBP, with no evidence suggesting data exfiltration, forwarding, or acquisition of personal information from the email accounts. HBP reported the incident to the FBI.
Despite the lack of evidence that personal data was accessed or misused, HBP conducted a comprehensive review of the compromised email accounts and attachments. This review revealed the presence of personal information belonging to individuals for whom PCNL lacked adequate contact details, including names, addresses, dates of birth, account numbers, insurance information, and limited clinical data. Social Security Numbers were not involved for the affected individuals notified through this breach disclosure. HBP formally notified PCNL of the incident on July 21, 2021, and issued a public notice to reach individuals whose addresses PCNL did not possess. HBP emphasized that the attacker’s focus on financial fraud, coupled with the absence of evidence indicating interest in personal data, led them to conclude no additional protective measures were necessary beyond routine review of explanation of benefits statements. The company established a dedicated assistance line (888-994-0267) with reference number B017858 for affected individuals and stated it had implemented enhanced security measures to prevent future incidents.