BUFFALO, N.Y. (WKBW) — Highmark Inc. announced on February 6 that it became aware of a data breach related to a malicious email phishing campaign.
"The incident in question was discovered on Dec. 15, 2022, and occurred between Dec. 13, 2022, and Dec. 15, 2022, whereby an employee was sent a malicious phishing email link that led to their email account being compromised and a threat actor obtained access to files that may have contained the protected health information (PHI) of Highmark members."
Highmark says it did not involve customers of Highmark Blue Cross Blue Shield of Western New York.
"A very small percentage of New York residents may have been affected if their company is insured through Highmark and headquartered outside of New York State. Across all of New York State, including New York City, less than 1,800 individuals were notified that they may have been affected," a spokesperson said in a statement to 7 News.
Highmark said it immediately responded and launched an investigation.
"The response teams quickly contained the mailbox, removed the malicious email from all domain users and implemented additional preventative and monitoring controls. We have engaged our vendor supporting our email environment who assisted with implementing additional preventive controls to enhance our security posture and email security controls. We also engaged a third-party digital forensics firm to determine the full extent of the breach."