Cyber Incident Victim: Flexible Benefit Service Corporation
Date:
Dec 2017
Location:
United States of America
Summary
A phishing incident involving an employee email account at Flexible Benefit Service Corporation compromised personal and protected health information for 5,123 individuals. The Illinois-based benefits administrator, serving as a HIPAA business associate, detected unauthorized email activity that potentially exposed names, addresses, phone numbers, Social Security numbers, and dates of birth. While investigators found no evidence of misuse beyond the phishing attempts, the organization notified affected parties and provided identity theft protection guidance along with a dedicated assistance hotline. Immediate containment actions were taken upon discovery of the breach.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On December 6, 2017, Flexible Benefit Service Corporation (Flex), an Illinois-based benefits administrator serving insurance brokers, employers, and carriers, identified unauthorized phishing emails originating from an employee’s email account. The company initiated immediate containment measures upon discovery, though the exact duration of unauthorized account access prior to detection was not disclosed. Flex conducted a forensic investigation to determine the scope of the incident, which revealed that the compromised account had been used to search for sensitive information. While investigators confirmed that the only observed malicious activity involved these searches, Flex acknowledged it could not definitively rule out further unauthorized access or data exfiltration. The breach impacted 5,123 individuals, though Flex did not disclose whether affected individuals belonged to a single health plan or multiple plans. As a Business Associate under HIPAA, Flex handled protected health information (PHI) and personal data on behalf of covered entities, but the specific health plans or entities involved were not identified in their public notification.
The compromised data included personally identifiable information (PII) and PHI such as names, addresses, phone numbers, Social Security numbers, and dates of birth, though the combination of exposed elements varied among individuals. Flex began notifying affected parties via personalized letters after completing its investigation, with the incident formally reported to the U.S. Department of Health and Human Services (HHS) on February 16, 2018. The company established a dedicated assistance hotline (1-800-547-2519) to address inquiries and provided guidance to impacted individuals on mitigating identity theft and fraud risks. Flex did not publicly specify technical remediation steps beyond securing the affected account or detail whether additional security controls were implemented post-incident. No evidence of identity theft or fraud stemming directly from the breach was cited in the notification, though the exposure of Social Security numbers and birth dates created inherent risks for financial and medical identity theft. The incident underscored operational risks associated with phishing attacks targeting employee email accounts at organizations managing sensitive benefits data.