Following the conclusion of its investigation of suspicious activity involving an employee's email account, AHP determined that an email phishing attack that targeted AHP employees may have resulted in unauthorized access to emails and attachments in the two employees' email accounts.
Although no evidence was found during the investigation that indicated that any emails in the employees' accounts were in fact acquired or accessed, AHP could not rule out that possibility. The investigation, which AHP concluded on
Subsequently, AHP undertook a comprehensive and time-consuming programmatic and manual review of all of the data that could have been in scope. This extensive review process was undertaken to identify the type of information involved and to whom the information related. AHP then correlated the results of this data review with its files to identify the health plans and self-insured universities associated with the information. Based on this review, AHP determined that emails or attachments in the employees' email accounts contained information about student members, including names, dates of birth,
AHP recommends that individuals regularly review the explanation of benefits received from their health insurer. If they see services that they did not receive, they should contact the insurer immediately.
AHP regrets any inconvenience or concern this may cause. To help prevent a similar incident from occurring in the future, AHP has provided extensive training to its employees regarding phishing emails and other cybersecurity issues and has enhanced existing security measures.