Academic HealthPlans, Inc. Identifies and Addresses Data Security Incident

GRAPEVINE, Texas, July 20, 2021 /PRNewswire/ -- Today, Academic HealthPlans, Inc. ("AHP") announced that it has addressed a data security incident that may have resulted in unauthorized access to information pertaining to student health plans that it administers.

Following the conclusion of its investigation of suspicious activity involving an employee's email account, AHP determined that an email phishing attack that targeted AHP employees may have resulted in unauthorized access to emails and attachments in the two employees' email accounts.

Although no evidence was found during the investigation that indicated that any emails in the employees' accounts were in fact acquired or accessed, AHP could not rule out that possibility. The investigation, which AHP concluded on June 4, 2021, determined that two AHP employees' email accounts were subject to unauthorized access as a result of the phishing incident between the dates of August 6, 2020 and August 24, 2020, and on October 2, 2020. The investigation confirmed that the unauthorized access was limited to AHP's cloud-based, Microsoft Office 365 email system and did not involve AHP's enrollment waiver platform or any other AHP systems.

Subsequently, AHP undertook a comprehensive and time-consuming programmatic and manual review of all of the data that could have been in scope. This extensive review process was undertaken to identify the type of information involved and to whom the information related. AHP then correlated the results of this data review with its files to identify the health plans and self-insured universities associated with the information. Based on this review, AHP determined that emails or attachments in the employees' email accounts contained information about student members, including names, dates of birth, Social Security numbers, health insurance member numbers, claims information, and diagnoses and treatment information.

Between June 21, 2021 and July 7, 2021, AHP provided written notification to the health plans and self-insured universities whose members information may have been involved in this incident and offered to provide notice to those members and applicable regulatory agencies on their behalf. Beginning on June 29, 2021, the various health plans and self-insured universities responded affirmatively to the notification offer.

On July 20, 2021, AHP began mailing letters to individuals whose information may have been involved in the incident. AHP is offering eligible individuals complimentary credit monitoring and identity theft protection services. AHP also has established a dedicated, toll-free call center to answer questions that individuals may have. If individuals have questions, they should call 855-545-2003, Monday through Friday, between 8:00 a.m. and 5:30 p.m., Central Time. Additional information is also available at: https://www.ahpcare.com/.

AHP recommends that individuals regularly review the explanation of benefits received from their health insurer. If they see services that they did not receive, they should contact the insurer immediately.

AHP regrets any inconvenience or concern this may cause. To help prevent a similar incident from occurring in the future, AHP has provided extensive training to its employees regarding phishing emails and other cybersecurity issues and has enhanced existing security measures. 

SOURCE Baker & Hostetler LLP