Full Report
SAG-AFTRA Health Plan said investigators traced the breach back to a phishing email that compromised the account. Law enforcement has been notified and the investigation is ongoing.
Analysis Summary
# Incident Report: SAG-AFTRA Health Plan Employee Email Compromise
## Executive Summary
In September, hackers compromised an employee email account belonging to the SAG-AFTRA Health Plan, leading to the exposure of sensitive member healthcare and personally identifiable information (PII). The attack vector was identified as a phishing email. While primary systems were not breached, the exposed data included names, Social Security numbers, and potential health/claims information for union members. Response was criticized for a significant delay between discovery (October 3) and notification (December 2), leading to a subsequent class-action lawsuit against the organization.
## Incident Details
- Discovery Date: October 3 (When the union health plan first became aware of the unauthorized access/leak).
- Incident Date: September (When the employee email account was compromised via phishing).
- Affected Organization: SAG-AFTRA Health Plan.
- Sector: Healthcare/Entertainment Union Administration.
- Geography: Not explicitly stated, but services members in the US (SAG-AFTRA).
## Timeline of Events
### Initial Access
- Date/Time: September (Undisclosed date).
- Vector: Phishing email targeting an employee account.
- Details: The phishing attempt successfully compromised an employee email account.
### Lateral Movement
- Details: Not explicitly detailed. The attack appears contained to the accessed email account, as investigators found the union health plan's main systems were *not* breached.
### Data Exfiltration/Impact
- Details: Emails and attachments contained participants’ names, Social Security numbers, and, in some cases, health plan participant identification numbers and claims information.
### Detection & Response
- Date/Time: October 3 (Internal confirmation of data leak).
- Date/Time: December 2 (External notification to members and regulators).
- Details: Law enforcement was notified. The organization faced criticism for waiting nearly two months between discovering the leak and notifying affected parties. A class-action lawsuit was filed shortly after notification.
## Attack Methodology
- Initial Access: Phishing (Credential compromise via email).
- Persistence: Not detailed, assumed contained within the compromised email mailbox.
- Privilege Escalation: Not detailed.
- Defense Evasion: Utilizing legitimate employee credentials to access mail data.
- Credential Access: Successful credential theft via phishing response.
- Discovery: Internal investigation (Details on attacker reconnaissance are unavailable).
- Lateral Movement: Contained to the compromised email server/account; no evidence of movement to core systems.
- Collection: Accessing and reviewing emails and attachments containing sensitive data.
- Exfiltration: Assumed exfiltration of collected emails and attachments containing PII/PHI.
- Impact: Exposure of PII/PHI, leading to potential identity theft and subsequent litigation.
## Impact Assessment
- Financial: Lawsuit filed, indicating potential litigation costs and settlement liability.
- Data Breach: Names, Social Security Numbers, Health Plan Participant Identification Numbers, and health insurance information for plan participants (covering approximately 160,000 union members).
- Operational: Primarily regulatory and legal disruption following the delayed notification.
- Reputational: Significant negative press and loss of trust, highlighted by the class-action suit criticizing notification delays and lack of transparency.
## Indicators of Compromise
- **Network indicators:** No specific IPs or domains provided, only that the compromise was via email.
- **File indicators:** Emails and attachments containing PII/PHI within an employee mailbox.
- **Behavioral indicators:** Successful delivery and interaction with a malicious phishing email leading to credential compromise.
## Response Actions
- **Containment measures:** Access to the compromised employee email account was likely terminated or secured immediately upon discovery (October 3).
- **Eradication steps:** Not explicitly detailed, but would involve reviewing the mailbox for persistence mechanisms and removing any malicious artifacts.
- **Recovery actions:** Notification to affected members (December 2). Notifying California regulators. Engaging law enforcement. Setting up procedures to address fallout (the subject of the lawsuit).
## Lessons Learned
- Phishing remains a highly effective vector for initial compromise, even against health plan data that may be stored or referenced in employee inboxes.
- Internal notification procedures need significant tightening to prevent major delays between discovery and external disclosure (2 months in this case).
- Failure to disclose the scope of the breach promptly invited significant legal action and amplified reputational damage.
- The organization has a history of data security issues, having suffered a separate breach in 2019 involving the related AFTRA Retirement Fund.
## Recommendations
- Implement rigorous, multi-factor authentication (MFA) across all employee email accounts, irrespective of seniority or access level.
- Enhance security awareness training, focusing specifically on identifying advanced phishing attacks related to credential harvesting.
- Establish stricter internal Service Level Agreements (SLAs) for breach confirmation and mandatory external notification timelines that preempt regulatory deadlines.
- Review data retention policies for shared inboxes to minimize the volume of sensitive PII/PHI stored outside of secure, audited systems.