eHealthInsurance, Campbell County Health each fall for W-2 phishing scams

The two health organizations are the latest involved in the tax season phishing campaigns, which trick HR and payroll employees to sending hackers their W-2 forms.
By Jessica Davis
04:01 PM
Share

Employees of Wyoming-based Campbell County Health and eHealthInsurance are the latest victims of a W-2 phishing scam, the organizations announced last week.

The Social Security numbers and W-2 information of around 1,400 Campbell Country employees were released on Jan. 25 by an employee, to a hacker impersonating a hospital executive, officials said. The hack only affected Campbell County Health employees, not patients.

Local law enforcement and a cybersecurity response team were contacted. Both are investigating the incident.

"We take this matter and the security of personal information very seriously at CCH, and we will continue to review and enhance our security practices to further secure our systems," CCH CEO Andy Fitzgerald, said in a statement.

Meanwhile, eHealthInsurance notified its employees of a similar breach on Jan. 27. An eHealth employee sent the W-2 information of the company's employee to a phishing email he or she believed was sent from an eHealth executive.

The stolen data contained W-2 information: name, address, Social Security number and the employee's wage information, eHealth CFO and COO Dave Francis said in a statement. The IRS and state Attorney Generals were contacted. eHealth will provide credit monitoring to affected employees for two years.

"As part of our ongoing commitment to the security of personal information in our care, we're working to provide additional mandatory training to employees on safeguarding the privacy and security of information on our systems," Francis said.

The two health organizations are part of a growing list of organizations impacted by a tax scam. Massachusetts-based Dracut Public Schools, UGI Utilities and San Francisco solar firm Sunrun, were also hit, just to name a few.

The IRS has cautioned all businesses to be on the look-out for tax-related phishing scams, as it has seen an influx of related cases. These scams were also problematic during 2016's tax season. Hackers trick payroll and human resources into providing employee tax information, by disguising the email as official company business.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com


Like Healthcare IT News on Facebook and LinkedIn