An unknown number of Grand Valley residents over the past week have received letters from a vendor for Rocky Mountain Heath Plans warning them of a data breach that may have revealed some of their personal information.
In the letter, the Wisconsin-based OneTouchPoint Inc., a company the local health insurance provider uses for printing and mailing services, wrote that it had discovered encrypted files on certain computer systems it uses.
“We immediately launched an investigation, with the assistance of third-party forensic specialists, to determine the nature and scope of the activity,” the company wrote. “Our investigation determined that there was unauthorized access to certain of our servers beginning on April 27, 2022. Through the investigation, we learned that we would be unable to determine the specific files the unauthorized actor viewed within our network.”
The letter goes on to say that the only information the “actor” could have accessed was the first and last names of an undisclosed number of people who insure with Rocky Mountain. The letter adds that addresses, health plan member ID numbers, the name of the health insurance plan and health plan information also were accessed, but not anyone’s Social Security numbers.
Patrick Gordon, chief executive officer of Rocky, said no one’s personal health information was part of the data breach.
“This issue was limited, and no personal financial or health information was impacted,” Gordon said. “Members who experienced this issue have been alerted to steps they can take to protect their identity.”
In the company’s notice of the data breach to the Colorado Attorney General’s Office, however, it reported that medical information was involved. Also, the company didn’t report the incident to state officials until Aug. 12, four months after it occurred.
The company did not respond to requests for comment.
The company did report the incident in July to the U.S. Department of Health and Human Services’ Office for Civil Rights, which tracks such data breaches.
According to an analysis of those records, there has been a steady increase of similar data breaches in the health care industry over the past decade. The Center for Internet Security, a New York-based nonprofit that works to help prevent such breaches, says the health care industry appears to experience them more than any other industry, but that may be partly because the federal Health Insurance Portability and Accountability Act (HIPPA) requires companies to report.
The vendor advised those impacted by the breach to monitor any future benefit statements for “any unfamiliar activity,” and to contact the three national credit reporting agencies — Equifax, Experian and TransUnion — to file a fraud alert or credit freeze.