Cyber Incident Victim: Health Plan of San Mateo

On January 17, 2023, the Health Plan of San Mateo (HPSM) identified unauthorized access to an employee’s email account following a successful phishing attack. The breach prompted immediate engagement with a third-party data security firm to investigate the incident’s scope and determine whether member data was compromised. The investigation confirmed that the unauthorized party accessed files containing confidential member information stored within the compromised email account. HPSM subsequently reviewed these files to identify the specific individuals affected and the types of information exposed. The breach impacted 11,894 individuals, with compromised data including names, dates of birth, member identification numbers, and protected health information. HPSM filed a formal notice of the breach with the U.S. Department of Health and Human Services Office for Civil Rights on March 17, 2023, coinciding with the initiation of direct notifications to affected members.

The compromised information exposed individuals to potential risks of fraud and identity theft due to the sensitivity of the leaked data. HPSM’s response focused on transparency, issuing individualized data breach letters detailing the nature of the exposed information and providing guidance on protective measures. The organization did not disclose specific remediation steps offered to affected members but emphasized its collaboration with cybersecurity experts during the investigation. As a community-based health plan serving approximately 155,000 San Mateo County residents through programs like Medi-Cal and CareAdvantage, the incident underscored vulnerabilities in email security practices. The breach’s operational impact included internal reviews of security protocols, though HPSM did not publicly specify changes implemented post-incident. The event highlighted the persistent threat of phishing attacks targeting healthcare entities handling protected health information.