The bodybuilding and personal fitness website Bodybuilding.com has revealed it has had to deal with a security incident that may have lead to the information of customers and employees being accessed by unauthorized people.
While the breach affecting customers was not a reportable incident under HIPAA, HIPAA does cover group health plans. As such, bodybuilding.com was required to report the breach of group members’ PHI to the Office for Civil Rights.
The breach was noticed in February 2019 when suspicious activity was found on its network. A formal breach investigation was initiated which showed access to the network was gained as a result of an employee falling for a phishing scam.
While the data of customers and workers is not thought to have been obtained by unauthorized individuals as a result of the phishing attack, the possibility could not be eliminated.
The breach has now been addressed and its systems have been secured. A forced password reset was this task was a carried for all users of the website as a precaution. For customers, the information potentially obtained was kept to names, email addresses, addresses, phone numbers, birth dates, profile information, order histories, billing and shipping addresses, and communications with the firm.
Current and previous employees of the Idaho-based fitness retailer who are subscribers to the company’s group health plan had some of their employment-related information exposed. The breach also affected enrollees’ dependents and beneficiaries. The exposed data included names, contact details , dates of birth, Social Security numbers, government ID numbers, group health plan subscriber information, claims information, and procedure codes.
The breach investigation was finished on April 19, and all affected employees have been notified about the exposure of their PHI out of an abundance of caution. No reports of data misuse have been submitted to date.
The breach summary has recently been loaded to the Department of Health and Human Services’ Office for Civil Rights breach portal, which showss 3,193 current and former employees, dependents, and beneficiaries have been impacted by the breach.