OneTouchPoint Inc. Confirms Data Breach Potentially Impacting Dozens of Other Businesses (and Their Customers) – JD Supra

On July 27, 2022, OneTouchPoint Inc. (OTP) confirmed that the company experienced a data breach after an unauthorized party gained access to sensitive consumer data contained on OneTouchPoints network. According to OneTouchPoint, the breach resulted in the names, member IDs, and healthcare information of certain individuals being compromised. OTP notes that, because it serves as a vendor for dozens of other organizations, customers that never did business with OTP may be included among the affected parties. Recently, OneTouchPoint filed an official notice of the breach and sent out data breach letters to everyone who was impacted by the recent data security incident.

If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the OneTouchPoint Inc. data breach, please see our recent piece on the topic here.

According to an official notice filed by the company, on April 28, 2022, OTP discovered that certain files on its computer system had been encrypted. In response, the company secured its systems and, working with cybersecurity professionals, began an investigation into the accident.

As a result of this investigation, OTP learned that the unauthorized party initially gained access to its systems on April 27, 2022. Subsequently, on June 1, 2022, OTP then learned that it would not be able to tell which files the unauthorized party actually viewed. The company then focused on reviewing all compromised files to determine what information was contained on them and who it belonged to. While the breached information varies depending on the individual, it may include your name, member ID, and any information you provided during a health assessment.

OTP is a vendor that provides printing and mailing services to various health insurance carriers and medical providers. Thus, the OTP data breach may impact consumers who obtained treatment or have insurance policies with any of the following companies or providers:

Common Ground Healthcare Cooperative

Banner Medicare Advantage Dual

Blue Cross Blue Shield of Arizona

MediSun, Inc. d/b/a Blue Cross Blue Shield of Arizona Advantage

Health Choice Arizona, Inc

Blue Cross Blue Shield of Massachusetts

Blue Cross Blue Shield of Rhode Island

Blue Cross Blue Shield of South Carolina Commercial

BMC HealthNet Plan / Well Sense Health Plan

CareFirst Advantage

Commonwealth Care Alliance

ElderPlan/HomeFirst

EmblemHealth Plan, Inc.

Florida Blue

Geisinger

Health Alliance Plan of Michigan

HAP Midwest Health Plan

Health First

Health New England

Health Plan of San Mateo

HealthPartners

Highmark Health

Humana

Kaiser Permanente

KS Plan Administrators, LLC

MVP Health Care

Pacific Source

Premera Blue Cross Medicare Advantage Plans

Prime Time Health Plan

Point32Health

Regence BlueCross BlueShield of Oregon

Regence BlueCross BlueShield of Utah

Regence BlueShield

Regence BlueShield of Idaho, Inc.

UPMC Health Plan

Matrix Medical Network

OneTouchPoint Inc. initially sent out a summary of its investigation on June 3, 2022. More recently, on July 27, 2022, OTP sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.

Founded in 2007, OneTouchPoint Inc. is a software and business services company based in Hartland, Wisconsin. The company provides a range of services to its corporate clients, including brand management, local marketing, marketing execution, print production and supply chain logistics. OneTouchPoint deals with companies across many industries, including alcohol & beverage, financial services, retail, healthcare, insurance, and manufacturing. OneTouchPoint Inc. employs more than 600 people and generates approximately $238 million in annual revenue.

In the letter that OneTouchPoint sent to victims of the recent breach, the company mentioned that it first learned of the incident when it noticed certain files on its computer network had been encrypted. Encryption is a process that encodes files, making them inaccessible to anyone without the encryption key (such as a password). Encryption is used every day for all sorts of lawful purposes, for example, to keep people from accessing sensitive data. However, cyberattacks also use encryption when orchestrating a ransomware attack.

Thus, when a company notes that its files were encrypted, its a good indication that it suffered a ransomware attack. In a typical ransomware attack, hackers install malware on a victims computer that encrypts some of all of their files. When the victim logs back on to their computer, they are met with a message from the hackers demanding a ransom. If the victim pays the ransom, the hackers (should) decrypt the files, allowing the victim access to their files.

More recently, some hackers have taken ransomware attacks to a new level, however, by threatening to publish the stolen data if the ransom isnt paid. This adds additional incentive for the victim to pay the ransom. However, the FBI and other federal agencies routinely advise companies not to pay ransoms demanded by hackers because this only encourages hackers to carry out these types of attacks. Of course, this puts companies in a difficult position because, by not paying a ransom, they may end up responsible for the breach in the publics eye.

Of course, the best way to prevent an unauthorized party from accessing consumer data is for a company to implement a robust data security system in the first place. Companies that fail to take data security seriously are often those that end up targeted by hackers in a ransomware attack.

See the original post:
OneTouchPoint Inc. Confirms Data Breach Potentially Impacting Dozens of Other Businesses (and Their Customers) - JD Supra