Highmark notifies members about data breach

Highmark recently became aware of a data security incident related to a malicious email phishing campaign affecting approximately 300,000 members.

The incident in question was discovered on Dec. 15, 2022, and occurred between Dec. 13, 2022, and Dec. 15, 2022, whereby an employee was sent a malicious phishing email link that led to their email account being compromised and a threat actor obtained access to files that may have contained the protected health information (PHI) of Highmark members.

Highmark responded to this incident and launched an investigation. The response teams contained the mailbox, removed the malicious email from all domain users and implemented additional preventative and monitoring controls. “We have engaged our vendor supporting our email environment who assisted with implementing additional preventive controls to enhance our security posture and email security controls. We also engaged a third-party digital forensics firm to determine the full extent of the breach.”

Highmark has not discovered any evidence to date that data potentially accessed because of this incident has been used fraudulently.