Cyber Incident Victim: Kentucky Employees Health Plan
Date:
Apr 2020
Location:
United States of America
Summary
The Kentucky Employees’ Health Plan experienced two related cybersecurity incidents involving unauthorized access to a third-party wellness portal used by members. Attackers exploited valid credentials obtained externally to infiltrate the portal, viewing biometric screening and health assessment data while fraudulently redeeming over $100,000 in gift card rewards from member accounts. A subsequent breach targeted a subset of affected individuals whose compromised portal credentials matched their state email accounts, leading to additional fraudulent redemptions. The incidents stemmed from reused passwords across platforms, prompting the vendor to enhance security measures and notify impacted members about strengthening authentication practices.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Kentucky Employees’ Health Plan (KEHP) experienced two related data breaches in April and May 2020, impacting members enrolled in its wellness incentive program managed by third-party vendor StayWell. The first incident occurred between April 21 and April 27, when an external attacker gained unauthorized access to 971 KEHP member accounts on StayWell’s well-being portal. The attacker used valid login credentials obtained from an external source unrelated to StayWell’s systems, exploiting these credentials to infiltrate accounts. While sensitive personal and financial information—including Social Security numbers, addresses, and birthdates—remained secure, the intruder accessed members’ biometric screening results and health assessment data. Additionally, the attacker fraudulently redeemed accumulated wellness incentive points for gift cards, resulting in approximately $100,000 in losses. Following detection, StayWell temporarily took its portal offline to implement security enhancements. Investigations conducted by the Commonwealth Office of Technology, the Personnel Cabinet, and StayWell’s IT team confirmed the attacker was an external actor with no prior affiliation to StayWell.
A second breach occurred from May 12 to May 22, directly linked to the initial compromise. StayWell determined that 42 of the originally affected members reused their passwords across multiple platforms, enabling the attacker to infiltrate their Commonwealth email accounts. This secondary attack led to an additional $7,700 in fraudulent gift card redemptions. In response, StayWell notified all impacted members, advising them to adopt stronger passwords and avoid credential reuse. The Personnel Cabinet announced plans to educate state employees and StayWell users about cybersecurity best practices, including forthcoming training resources and tools aimed at preventing future incidents. No evidence suggested broader unauthorized access to financial systems or sensitive personal data beyond the health and incentive information confirmed in the breaches.