Cyber Incident Victim: Vimly Benefit Solutions
Date:
Aug 2019
Location:
United States of America
Summary
A phishing attack targeting Vimly Benefit Solutions employees led to unauthorized access to internal email accounts, potentially exposing sensitive personal information of Boise police and fire personnel, retirees, and their dependents. Compromised data included names, Social Security numbers, birthdates, addresses, and health benefits enrollment details. The company initiated an investigation with cybersecurity experts but could not confirm whether specific information was accessed or misused. While no fraud was identified, notifications were sent to affected individuals, and ongoing monitoring was established to address potential risks from the breach.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On August 19, 2019, Vimly Benefit Solutions discovered that an unauthorized individual potentially gained access to several employee email accounts three days earlier, on August 16, through a phishing attack. The company, which administers health benefits for organizations including the Boise Fire & Police Trust, initiated an investigation and engaged a cybersecurity firm to assist. Phishing, defined as fraudulent emails impersonating legitimate entities to extract sensitive data, compromised names, dates of birth, addresses, Social Security numbers, and benefits enrollment information. Vimly notified the Boise Fire & Police Trust—a self-funded health plan serving police, fire personnel, retirees, and dependents—about the incident on October 15, 2019. The breach’s scope remained unclear, as investigators could not confirm whether the intruder viewed or exfiltrated specific data.
Vimly absorbed the compromised email accounts to contain the incident and commenced mailing notification letters to affected participants on December 13, 2019. The company stated no evidence of fraud or misuse of information had been identified but advised recipients to monitor their accounts as a precaution. Notifications included instructions for trust members who did not receive letters by January 15, 2020, to contact Vimly via a dedicated phone line. The investigation remained ongoing, with Vimly committing to provide updates as new information emerged. Impacted individuals were not offered specific remediation services in the initial disclosure, though the company emphasized vigilance against identity theft risks stemming from exposed personal identifiers.