https://www.jdsupra.com/legalnews/welldynerx-llc-files-notice-of-data-1085442/
Earlier this year, WellDyneRx, LLC reported a data breach after the company discovered unauthorized activity within one of the company’s email accounts. As a result of the breach, the names, dates of birth, Social Security numbers, driver’s license numbers, treatment information, health insurance information, contact information, prescription information, and other medical and healthcare-related information of certain individuals was accessible to an unauthorized party. More recently, on July 1, 2022, WellDyneRx, LLC filed notice with the U.S. Department of Health and Human Services Office for Civil Rights regarding a December 2021 data breach, indicating that the company estimates the breach affected 38,401 individuals.
If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the WellDyneRx data breach, please see our recent piece on the topic here.
Additional Information Regarding the WellDyneRx Data Breach
According to the most current information, the WellDyneRx breach was first detected on December 2, 2021, when the company noticed suspicious activity within one of the company’s email accounts. Upon this discovery, WellDyne enlisted the help of cybersecurity professionals to investigate the incident and determine what, if any, consumer information was compromised. The investigation revealed that there was unauthorized access to the account between October 30, 2021, and November 11, 2021.
Once WellDyne confirmed the unauthorized access, the company then reviewed all emails, files and attachments within the affected email account. On March 11, 2022, the company completed this process, reporting that the data types leaked as a result of the breach included consumers’ names, dates of birth, Social Security numbers, driver’s license numbers, treatment information, health insurance information, contact information, prescription information, and other medical and healthcare-related information.
Subsequently, on May 6, 2022, WellDyneRx issued data breach letters to all individuals whose information was compromised. Finally, on July 1, 2022, WellDyneRx provided official notice of the breach to the U.S. Department of Health and Human Services Office for Civil Rights.
WellDyneRx, LLC is a pharmacy benefit manager based in Lakeland, Florida. As a pharmacy benefit manager, the company oversees the administration of the pharmacy benefits portion of insurance policies on behalf of insurance companies. WellDyne works with more than 2,000 providers, serving more than three million patients. WellDyne’s pharmacy network includes more than 65,000 retail pharmacies, including large national chains, regional chains and many independent pharmacies. WellDyne has approximately 700 employees and generates approximately $76 million in revenue each year.
How Do Hackers Access Employee Email Accounts?
While WellDyneRx provided a fair amount of information about the recent breach, the company did not explain how the unauthorized party accessed the employee’s email account. Email-based cyber attacks can occur in a number of ways; however, perhaps the most common type of email-based cyber attack is a phishing attack.
Phishing attacks rely on principles of social engineering to trick an employee into providing the hacker with the tools necessary to access the company’s computer system. Typically, this is either by requesting the recipient provide their login credentials or by asking the recipient to click on a malicious link. Phishing attacks start with the hacker sending a seemingly legitimate email; however, they are anything but legitimate.
The information a hacker obtains through an email phishing attack can be used to access the organization’s network and all the sensitive information contained therein. Thus, this provides hackers with more than enough information to commit fraud or identity theft against multiple victims. While a company is certainly one of the victims of a phishing attack, the real victims are those whose information is stolen in these cyberattacks.
Phishing is extremely common. According to a 2021 study, U.S. employees receive an average of 14 malicious emails per year. Employees in certain industries, such as retail workers, receive an average of 49 malicious emails per year. What’s more surprising is that 86% of companies had at least one employee click a phishing link in 2021.
Businesses are aware of phishing attacks and the threats that they pose to consumers. Thus, it is essential that all businesses take the necessary steps to educate their employees about phishing. For example, given the high number of phishing attacks in recent years, many companies require employees to attend training to help them identify phishing attacks. These efforts are the least a company can do to help ensure the safety of the consumer information in their possession.