Kentucky Healthcare Breach Exposes PHI of Nearly 1,000 State Employees

The attack resulted in exposed biometric screening and health assessment data, as well as fraudulent gift card redemptions.

A version of this article was first published June 9, 2020, by HCPro's Revenue Cycle Advisor, a sibling publication to HealthLeaders.

The state of Kentucky disclosed recently that a healthcare portal used by state employees was hacked and the protected health information of nearly 1,000 members of the Kentucky Employees’ Health Plan (KEHP) was exposed.

The breaches took place in late April and early May, according to the Commonwealth of Kentucky Personal Cabinet.

The site of the attack was KEHPLivingWell.com, a portal hosted by third-party vendor StayWell. After an investigation, it was determined that the first attack, which occurred between April 21 and 27, was the result of legitimate credentials being used to gain access to the StayWell systems. It is likely that a bad actor gained access to a set of valid KEHP member emails and passwords from a previously unidentified data leak in a non-StayWell system, according to the Commonwealth of Kentucky Personal Cabinet.

The attack resulted in exposed biometric screening and health assessment data, as well as fraudulent gift card redemptions.

KEHP members can accumulate rewards points for participating in health and well-being activities through StayWell, and the points can be redeemed for up to $200 a year in gift cards.

Russell Goodwin, executive director for the Personnel Cabinet, told Kentucky.com that the fraudulent gift card redemption in the attack exceeded $107,000.

Upon becoming aware of the attack, StayWell disabled the KEHPLivingWell site to review security measures. It also implemented additional user controls to ensure added security. Those affected by the breach were notified.

StayWell is in the process of restoring all affected 971 member accounts to pre-incident status, according to the Commonwealth of Kentucky Personal Cabinet.