Cyber Incident Victim: Benefit Plan Administrators, Inc.
Date:
Mar 2022
Location:
United States of America
Summary
Benefit Plan Administrators, Inc. experienced a data breach when an unauthorized party accessed its network, compromising sensitive consumer information including names, Social Security numbers, addresses, dates of birth, gender classifications, claims details, medication data, and medical diagnoses. The breach impacted individuals associated with Alpha Natural Resources Non-Union VEBA Trust and Williamson Employment Services, Inc., for which the company serves as a third-party administrator. After detecting the intrusion, the firm initiated an investigation with cybersecurity experts, confirming unauthorized access and potential data exfiltration. Notification letters were subsequently sent to affected individuals, and regulatory disclosures were made in compliance with legal requirements. The incident exposed protected health information, heightening risks of identity theft and medical record tampering.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Benefit Plan Administrators, Inc. (BPA), a Roanoke-based third-party administrator of self-insured benefit plans founded in 1965, confirmed a data breach involving unauthorized access to its computer network. The company detected the network security intrusion on an unspecified date, prompting an immediate investigation coordinated with external cybersecurity experts. By March 15, 2022, the investigation revealed that an unauthorized actor had accessed and potentially exfiltrated certain files from BPA’s systems. The compromised data included full names, Social Security numbers, addresses, dates of birth, gender classifications, claims information, medication details, and medical diagnosis/condition records. The breach specifically impacted individuals associated with two client organizations: Alpha Natural Resources Non-Union VEBA Trust and Williamson Employment Services, Inc., with BPA operating as a Business Associate for both entities. BPA completed its review of affected files to identify the scope of exposed information, though the specific number of affected individuals was not disclosed in the company’s notice.
On June 15, 2022, BPA initiated breach notifications by mailing letters to all impacted individuals and submitting required disclosures to relevant state agencies under federal and state laws. The compromised data constituted protected health information (PHI), as it combined health-related attributes—such as medical diagnoses and treatment details—with identifiable elements including Social Security numbers, full names, and birthdates. This combination enables linkage of medical data to specific individuals, heightening risks of identity theft and medical fraud. Exposure of PHI creates distinct hazards compared to conventional financial data breaches, as malicious actors could exploit medical records to fraudulently obtain healthcare services, potentially corrupting victims’ medical histories with inaccurate treatment details or allergy information. The breach implicated BPA’s operational infrastructure supporting its role as a benefits administrator for employer-sponsored plans, though the technical vector of the attack and containment measures beyond the investigation were not detailed in public disclosures. BPA’s notification emphasized the sensitivity of the exposed data categories but did not specify whether ransomware, phishing, or other attack methodologies were involved in the incident.