Third-party administrator of insurance products Bay Bridge Administrators (BBA) is informing roughly 250,000 individuals that their personal information might have been compromised in a September 2022 data breach.
On Tuesday, the Austin, Texas-based administrator of employee benefit plans announced that, on September 5, 2022, it fell victim to a cyberattack that caused a network disruption.
A subsequent investigation revealed that, around August 15, 2022, a threat actor gained unauthorized access to the Bay Bridge Administrators network and used that access to exfiltrate certain data on September 3.
On December 5, the firm determined that both personally identifiable information (PII) and protected health information (PHI) was exposed during the attack, and started identifying the impacted individuals. On December 29, the company started notifying the impacted individuals of the incident.
The compromised information includes names, addresses, birth dates, Social Security numbers, ID and driver’s license numbers, and medical and health insurance information.
“The personal and protected health information involved was shared with BBA either by the individual, the individual’s employer, and/or the individual’s insurance carrier(s), in connection with enrollment in an employment insurance benefit plan for calendar year 2022,” the company says.
BBA says it is not aware of any of the compromised data being misused, but it is not uncommon for stolen personal information to be traded on hacker marketplaces before being used for nefarious purposes.
On December 29, the company notified the Maine Attorney General’s office that more than 251,000 individuals were impacted by the incident.