Most employers use vendors to assist with managing various employee benefits, including payroll, health and dental benefits, pharmacy, cost-reduction strategies, retirement, analysis and wellness programs.
When using these vendors, the personal information of employees is provided to the vendor in data dumps. Usually that means that the vendors receive employees’ names, addresses, dates of birth, financial information, salary information, benefit elections, beneficiaries and other dependents, and oftentimes, full Social Security numbers.
Because benefit vendors are receiving high-risk data, they are considered high-risk vendors and companies may wish to consider completing security questionnaires or other due diligence regarding the vendors’ security practices.
Case in point is the recent successful credential hack of Benefit Recovery Specialists (BRS). BRS provides billing and collection services for health care entities. It is reported that more than 274,000 individuals are being notified by BRS that their data may have been compromised as a result of a malware incident that was discovered on servers on April 30, 2020.
According to BRS, a hacker successfully accessed an employee’s credentials to hack into the network for approximately 10 days. During that time, 274,000 individuals’ names, dates of birth, provider names, procedure codes, and dates of service, as well as some Social Security numbers, may have been accessed or compromised.
Although not confirmed, this sounds like a phishing incident. To avoid such a compromise, take care to assess the security practices of vendors and third-party service providers when transmitting high risk employee, customer or patient information to them. The integrity of a business’ security is only as good as that one employee who clicks on a phishing email.