Cyber Incident Victim: Cigna
Date:
Apr 2022
Location:
United States of America
Summary
Unauthorized third parties accessed certain customer accounts within Cigna's Express Scripts mobile application using valid credentials, compromising personal and protected health information including names, medication details, prescription numbers, dosages, prescribing physicians, and pharmacy names. The breach prompted immediate account lockdowns, password resets, and recommendations for affected individuals to update credentials across other platforms sharing the same passwords, though the total number impacted remains unclear.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Express Scripts, a pharmacy benefit management organization, experienced unauthorized access to certain customer accounts through its mobile application between April 30 and May 3, 2022. The breach was detected on May 1, 2022, when suspicious activity was identified involving third parties accessing accounts using valid usernames and passwords. This method suggested potential credential compromise through techniques like password spraying, where attackers exploit reused credentials from unrelated breaches. The accessed accounts contained protected health information including patient names, medication names, prescription numbers, dosage details, prescribing physician names, and pharmacy names. Upon discovery, Express Scripts immediately locked affected accounts and reset passwords to prevent further unauthorized access. The company notified impacted individuals through a breach disclosure to the Massachusetts Attorney General, though the total number of affected customers remained unspecified in available reports.
The incident exposed sensitive prescription and treatment information without evidence of subsequent misuse at the time of reporting. Express Scripts advised affected individuals to change passwords on other accounts sharing identical credentials as a precautionary measure. No additional technical or forensic details regarding the attackers' entry vector or broader network impact were disclosed. The breach occurred within a broader context of healthcare-sector targeting, as evidenced by contemporaneous incidents at Comstar, DialAmerica Marketing, Alliance Physical Therapy Partners, and 90 Degree Benefits Minnesota—all involving unauthorized system access and PHI exposure between 2021-2022. While Express Scripts implemented immediate account security measures, the disclosure did not specify whether multi-factor authentication enhancements or systemic authentication protocol changes were enacted following the incident. The company’s response focused on containment through credential resets and user education regarding password hygiene without elaborating on long-term security infrastructure modifications.