Endpoint Security , Incident & Breach Response , Security Operations

Medical Data Exposed in Breach at True Health New Mexico

Insurer Counts Nearly 63,000 Victims; Offers Prepaid Credit Monitoring
Medical Data Exposed in Breach at True Health New Mexico

A health insurer in New Mexico is warning of a data breach that exposed personal and medical information.

See Also: Incident Response Guide: 10 steps to a Successful and Effective Incident Response Plan

True Health New Mexico says in a security advisory posted to its website that it first learned of the security incident on Oct. 5, following an "early October" intrusion.

THNM, which describes itself as a physician-led health insurance company, says the breach exposed names, birthdates, physical addresses, email addresses, insurance information, medical information, Social Security numbers, health account member IDs, provider information, dates of service and provider identification numbers.

"Upon discovering the incident, we promptly took steps to secure and contain the impacted THNM systems and supplemented our internal response teams with external cybersecurity professionals and other outside experts," the organization says. "We shut down certain systems where necessary, took other preventative measures, and supplemented our existing security monitoring, scanning, and protective measures."

True Health New Mexico didn't specify the number of individuals impacted in its advisory, although it reported the incident on Nov. 17 to the U.S. Department of Health and Human Services. In its listing of the breach, HHS, says there were 62,983 victims. It classifies the breach as being a "hacking/IT incident" involving a "network server."

Breach victims are being notified by postal mail, True Health says. Some people may be former members of True Health and also New Mexico Health Connections, which was a health plan previously administered by True Health New Mexico.

Offer: 2 Years of Prepaid Credit Monitoring

True Health New Mexico doesn't describe in its advisory how it was breached. As is typical boilerplate for a breached business, it notes that it has contacted law enforcement and also retained third-party external cybersecurity professionals to investigate the incident and remediate its systems.

"Through that investigation we learned that the incident was caused by an unauthorized third party who gained access to our IT systems in early October," the business says. "All evidence to date indicates the incident affected only True Health New Mexico systems."

True Health New Mexico is offering two years of prepaid credit monitoring services to victims. The deadline to enroll in those services is Feb. 15, 2022.

Thus far, the insurer says it has seen no signs that the exposed information has been abused. But data breach experts note that such stolen data can remain at large in perpetuity, during which time it will continue to put victims at elevated risk of phishing attacks, fraud and identity theft.

The insurer says it "encourages potentially impacted individuals to remain vigilant against incidents of identity theft and fraud, to review account statements and explanation of benefits forms, and to monitor their credit reports and explanation of benefits forms for suspicious activity."


About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.