FRANKFORT, KY — On April 27, the Kentucky Personnel Cabinet was notified of a security incident involving StayWell's well-being and incentive program portal. StayWell is a third-party vendor that manages the well-being program on behalf of the Kentucky Employees' Health Plan.
The security incident was related to a malicious attack against StayWell's portal, says the KY Personnel Cabinet.
The cabinet says incident happened in two rounds with the first one taking place from April 21 through 27 and the second round happening from May 12 through 22.
After the investigation, StayWell found that the attack was likely associated with a bad actor who had access to a set of valid KEHP member email addresses and passwords from a previous unidentified data leak in a non-StayWell system.
The cabinet says the investigation found that the attacker in the breach used valid KEPH member logins to access 971 member accounts on its platform, and a small subset of these members had their Commonwealth email accounts accessed.
The cabinet says the nature of the attack caused fraudulent gift card redemptions and exposed biometric screening and health assessment data.
Members' financial data or personal information, such as Social Security numbers, date of birth, or addresses, were not compromised in the incident, according to the cabinet.
The cabinet says the first round of the attack was isolated to StayWell's portal. The second round involved a small portion of KEHP members, targeting potential victims who likely used the same passwords across multiple systems, accounts, and programs. The Commonwealth says they have no reason to believe that the human resources system or data were affected at any point during either attacks.
StayWell says they temporarily disabled the KEHP LivingWell site to review site security measures and prevent any further unauthorized access or disclosure of participant data.
StayWell also implemented more user controls to ensure added security for members. StayWell says they told all affected members about the security incident.
StayWell says they are in the process of restoring all 971 member accounts, including affected member incentive accounts, to pre-incident status.
The Commonwealth Office of Technology, the Personnel Cabinet and StayWell say they take data incidents very seriously and encourage members to use strong passwords and not use the same password for multiple systems, accounts, and programs.
If you have questions about this security beach you can contact StayWell at 1-866-746-1316 or KEHPLivingWell@staywell.com.