After four months of detailed analysis, US truck manufacturer Navistar has confirmed a data breach on its systems that exposed the details of 63,126 healthcare employees.
Navistar straight away implemented its cybersecurity response program after learning of a data breach on May 20. The manufacturer also collaborated with third-party cybersecurity specialists to discover the nature and extent of the security breach.
Ten days later, the American manufacturer received information regarding the exfiltration of data from its systems. In the first week of June, the healthcare provider filed 8-K papers with the US Security and Exchange Commission, alerting investors regarding the data breach. The notification generated press coverage about the incident from Reuters and other media outlets, as investigators continued to examine the impact of the incident.
The investigation into the data theft confirmed on August 20, 2021, that the stolen files contained the protected health information of present and former members of Navistar Health Plan and the Navistar Retiree Health Benefit and Life Insurance Plan.
According to a statement by Navistar, the exfiltrated data possibly contained names, addresses, birth dates, and data linked with participation on the medical and insurance policies, which might have contained certain health-related data like the names of healthcare providers and prescription medications.
The stolen private details are commonly used and traded by attackers because it offers a means to run more convincing phishing scams and to apply for fraudulent lines of credit under false names, researchers explained.
Navistar claimed it has strengthened the security after the data breach, which includes using the latest technologies and performing additional training for the employees. Security controls will still be assessed and kept up to date as necessary to avoid further disruptions.
Earlier in July, Navistar sent notification letters to the victims to advise them regarding the data breach. The company is also providing a 2-year free membership to credit monitoring and identity theft protection services to persons whose Social Security number was affected in the attack.
Additionally, the healthcare provider sent the breach report to the Maine Attorney General suggesting that 63,126 persons were affected. The breach report was also submitted to the Department of Health and Human Services’ Office for Civil Rights stating that 49,000 plan members’ PHI was exposed.