Posted On November 15, 2022 Consumer Privacy & Data Breaches
On November 9, 2022, Work Health Solutions (“WHS”) filed notice of a data breach with the Attorney General of California after the company learned that an unauthorized party had gained access to an employee’s email account. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ full names, Social Security numbers, driver’s license numbers, health insurance information, and medical information. After confirming that consumer data was leaked, WHS began sending out data breach notification letters to all individuals who were impacted by the recent data security incident.
If you received a data breach notification, it is essential you understand what is at risk. The data breach lawyers at Console & Associates, P.C. are actively investigating the WHS data breach on behalf of people whose information was exposed. As a part of this investigation, we are providing free consultations to anyone affected by the breach who is interested in learning more about the risks of identity theft, what they can do to protect themselves, and what their legal options may be to obtain compensation from Work Health Solutions.
The available information regarding the Work Health Solutions breach comes from the company’s filing with the California Attorney General’s Data Security Breaches web page as well as notice posted on the WHS website. According to these sources, Work health Solutions recently learned that an unauthorized party had access to a single employee’s email account. While the company did not elaborate on how it came to this realization, in response to its discovery, WHS launched an internal investigation with the assistance of third-party data security experts.
The company’s investigation confirmed that an unauthorized party gained access to the employee’s email account on February 16, 2022. The period of unauthorized access lasted until March 24, 2022. Through its investigation, Work Health Solutions was also able to determine that some of the files accessible through the compromised email account contained sensitive information belonging to certain individuals.
Upon discovering that sensitive consumer data was made available to an unauthorized party, Work Health Solutions began to review the affected files to determine what information was compromised and which consumers were impacted. While the breached information varies depending on the individual, it may include your full name, Social Security number, driver’s license number, health insurance information, and medical information.
On November 9, 2022, Work Health Solutions sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.
Work Health Solutions is a medical services company based in San Jose, California. The company provides occupational health programs for large-scale employers designed to fit their unique needs. Work Health Solutions also provides onsite medical surveillance testing and occupational medical exams and offers wellness clinics, primary care, preventative programs and occupational health services. Work Health Solutions employs more than 100 people and generates between $5 and $25 million in annual revenue.
Work Health Solutions provides employers with healthcare programs and services. However, given the nature of the company’s business, there is a good chance that many of those who were impacted by the recent data breach had no idea that the company existed, let alone possessed their personal information. If you fall into this category, you may be wondering how the breach happened and what you can do to hold the responsible party accountable.
In the Work Health Solutions data breach letter, the company explains that the data breach resulted from an unauthorized party gaining access to an employee’s email account. Of course, you probably did not give your information directly to Work Health Solutions, so this may come as a surprise. However, the company likely had an agreement with your employer and, as a result of the services provided to them, had access to your information. But that doesn’t answer the question how hackers were able to get into the WHS employee’s email account.
While hackers have a few different ways to get ahold of an employee’s email login credentials, most email-based cyber attacks involve “phishing.” In fact, according to the Identity Theft Resource Center, phishing made up 33% of all cyberattacks in 2021, making them the most common type of cyberattack. In large part, this is because phishing attacks are one of the easiest attacks for hackers to carry out and have an incredibly high success rate. For example, in 2021, U.S. employees received an average of 14 malicious emails per year. However, some employees in certain industries received more than four times that number.
Phishing is a type of cyberattack where a hacker sends a fraudulent email to an employee of a company. In the email, the hacker uses principles of social engineering to trick an employee into either giving the hacker their login credentials or clicking on a malicious link. If the employee provides the hacker with their email login credentials, this enables the hacker to access any information contained in the employee’s email account. And, if the employee clicks on a malicious link, doing so may install malware on their computer, which is commonly the approach used in ransomware attacks. Either way, sensitive consumer information ends up in the hands of cybercriminals.
Of course, phishing emails are designed to look official, and hackers are adept at making these fake emails look very real. For example, hackers may use the correct company logo and use a very official-sounding email address. These emails look so official that many employees are duped into doing exactly as the hackers want. In fact, in 2021, 86% of companies reported having at least one employee click a phishing link.
At Console & Associates, P.C., our consumer privacy lawyers monitor all security and data breaches to help affected consumers pursue their legal remedies. We offer free consultations to victims of data breaches and can explain your rights in clear, understandable terms so you can make an informed decision about how to proceed with your case. If you’ve been affected by the WHS data breach or any other data security incident, Console & Associates, P.C., will investigate your case at no charge and offer you thorough advice about how to most effectively proceed with your case. If you decide to bring a case, we only get paid if you do. If your claim is successful, any legal fees are either paid by the defendant or come out of the funds recovered from the defendant. If your claim doesn’t result in a recovery, you will pay nothing.
To schedule your free consultation, just call (866) 778-5500 today or fill out our secure contact form.
Below is a copy of the initial data breach letter issued by Work Health Solutions:
Work Health Solutions (“WHS”) is committed to maintaining the privacy and security of the information that it maintains.
WHS recently learned that an email account was accessed between February 16, 2022 and March 24, 2022. WHS immediately launched an investigation in consultation with outside cybersecurity professionals who regularly investigate and analyze these types of incidents to determine the extent of any compromise. After an extensive investigation and manual review, WHS concluded on October 11, 2022, that the impacted email account may have contained certain files or folders with identifiable personal and/or protected health information for individuals who received services from WHS. More specifically, this information may have included impacted individuals’ full names, Social Security numbers, driver’s license numbers, health insurance information, and/or medical information. This incident does not affect all WHS service recipients and not all of these identifiers were included for all individuals.
To date, WHS is not aware of any reports of improper use of any information as a direct result of this incident. Nevertheless, out of an abundance of caution, WHS notified impacted service recipients whose contact information WHS had on file on or about November 9, 2022. Service recipients whose Social Security numbers were impacted are being provided with complimentary credit monitoring services. The notification letter advised affected service recipients about the process for placing fraud alerts and/or security freezes on their credit files and obtaining free credit reports. The affected service recipients were also provided with the contact information for the consumer reporting agencies and the Federal Trade Commission.
At WHS, protecting the privacy of personal information is a top priority. WHS is committed to maintaining the privacy of information pertaining to its service recipients and has taken many precautions to safeguard it. WHS continually evaluates and modifies its practices to enhance the security and privacy of its service recipients’ information, including the education and counseling of its workforce regarding service recipient privacy matters.
For individuals who have questions or need additional information regarding this incident, or to determine if they are impacted, WHS has set up a dedicated toll-free response line for individuals to ask questions. The response line can be contacted at 855-708-2445, available Monday through Friday, 9 a.m. to 9 p.m. Pacific Time.