Myrtle Beach, S.C.-based payer Choice Health recently shared that sensitive member health information was obtained by an unauthorized individual, HIPAA Journal reported June 15.
Choice Health, a subsidiary of Lincolnshire, Ill.-based Alight Solutions, discovered May 14 that an individual was offering a dataset reportedly stolen from the payer. On May 18, an investigation confirmed a Choice database had been exposed online due to a third-party provider error, meaning the data was accessible to anyone through the internet.
Choice found the database files were copied by an unauthorized individual on May 7. The files contained members' first and last names, Social Security numbers, Medicare beneficiary identification numbers, birthdates, addresses and contact information, and health insurance information.
A forum listing offering the data said 600 megabytes of data was obtained across 2,141,006 files, which were given names such as "Agents, Commission, Contacts, Policies," according to HIPAA Journal.
No misuse of the data has been reported, but an unknown number of affected Choice members have been notified and offered two years of credit monitoring and identity theft protection and resolution service.
The third-party provider has now secured the database, taken it offline and implemented multifactor authentication for file access.