Data Breaches

Important information regarding the data breaches of Infosys McCamish Systems (IMS) in November 2023 and CHANGE Healthcare in February 2024.

The Infosys McCamish Systems (IMS) Data Breach

New York Life Group Benefit Solutions partners with a third‐party vendor, Infosys McCamish Systems, LLC. (IMS), to offer Life Insurance, Voluntary Life Insurance (GUL and VTL), and Personal Accident Insurance. For Cornell, these policies apply to active faculty and staff, their spouses/partners and/or dependent children, retirees, their spouses/partners and/or dependent children and terminated individuals who maintain direct billing policies. McCamish also processes and maintains beneficiary information on those policies, and they administer a New York Life portal, along with the customer service center for New York Life.

On November 2, 2023, IMS detected a potential Malware threat to their systems sometime between October 29, 2023, and November 2, 2023.

McCamish (IMS) immediately deactivated all active systems and stopped accepting all Secure File Transfer Protocol (SFTP) files (including Cornell data integration files). This effectively halted all NYLife and McCamish customer service and billing systems, and it was originally expected that all systems would return by November 30, 2023.

Cornell took immediate action by disabling data connections to NYL/McCamish and canceled Single Sign On (SSO) access to NYLife/McCamish websites and systems. Cornell SSO remained deactivated from November 9, 2023, to December 15, 2023, until McCamish could ‘rebuild’ their systems and give the ‘all clear’ to resume secure transmission/access. 

Data Review & Possible Impact

While New York Life is Cornell’s contracted vendor for these policies, McCamish (IMS) is fully responsible for communicating, resolving, and offering assistance or services due to any data integrity or breach issue. 

IMS has completed a complete and thorough review of their data/systems for all New York Life clients, utilizing the services and partnership of audit firm Ernst & Young to evaluate the volume and data potentially impacted. This month, IMS determined the population where personal data was breached. They are not currently aware of anyone who has experienced the negative consequences of this breach.

To provide official notification (and preemptive data services) to all participants whose data may have been released, IMS began sending letters over the past week to all policyholders, for all accounts/plans, for any name that exists currently or previously in their system.

Recent Notifications From IMS

Because each of the Cornell plans below would have generated its own mandated notification letter, we are aware that some Cornell faculty, staff and retirees are receiving multiple copies of what appears to be the same letter, one notification for each of the plans/coverages below.

Over the years, formatting of names and/or the inclusion of middle initials (for example) may have differed in the McCamish system. Every variation of the name in their systems was used to ensure that everyone received at least one letter.

Plans/Coverages:

• Basic Life Insurance – automatic for employee
• Group Universal Life – for employee
• Group Universal Life – for Spouse
• Group Universal Life – for Dependents
• Personal Accident Insurance – for employee
• Personal Accident Insurance – for Spouse
• Personal Accident Insurance – for Dependents
• Basic Life Insurance – for Retiree
• Group Universal Life – for Retiree
• Group Universal Life – for Retiree Spouse
• Group Universal Life – for Retiree Dependents
• Personal Accident Insurance – for Retiree (Direct Bill)
• Personal Accident Insurance – for Spouse (Direct Bill)
• Personal Accident Insurance – for Dependents (Direct Bill)

More Information & Free Services Available

McCamish is offering free identity monitoring services, as described in the letter(s). You may wish to learn more about or utilize that service by visiting their contracted provider, Kroll Monitoring services, at this email address:  https://enroll.krollmonitoring.com

PLEASE NOTE:  While a unique Membership Number is listed on page 2 of each letter you received, you can enroll one time in services using one number on any of the letters you received.

The CHANGE Healthcare data breach 

On February 21, 2024, the CHANGE Healthcare business experienced a breach of their systems. CHANGE is a nationwide data depository for many of the largest health care companies, and they also provide services for hundreds of thousands of individual providers who use them for claims-paying and other services. 

This breach is considered one of the most significant data breaches in the healthcare industry due to the number of companies, plans, policies, and functions that CHANGE supports. Because of the large number of data sources that fed and/or utilized CHANGE data, it has been very difficult for CHANGE or its partner companies to determine who exactly was impacted and to what extent. 

As a precaution, Cornell immediately deactivated file integrations with any of its potentially impacted companies. These integrations were reactivated once companies could confirm the security of their systems, with some integrations remaining deactivated from February 22–29, 2024. 

Data Review & Possible Impact

Between February and July 2024, CHANGE has worked to determine potentially impacted individuals. From the end of July through the present, individuals have been receiving communications from CHANGE.  It is estimated that approximately 1/3 of all Americans could be impacted and will ultimately receive notifications. Due to the large number of communications to be generated, you may not have received a letter yet. 

Unfortunately, we are not able to confirm how many Cornell faculty, staff, or retirees may be included in the breach and/or if any have been negatively impacted. 

It is important to understand that this particular data breach is not directly tied to Cornell plans or the data we transmit for our plans. The breached data may have been stored in the CHANGE system for multiple years and generated through interactions with numerous insurance companies, prior employers, federal government plans, provider offices, etc.

More Information & Free Services Available

If you have not yet received a letter or want to access more information on this event, a UnitedHealthGroup link is below.  You may also wish to consider if you would like to utilize any services offered through the link.

https://www.unitedhealthgroup.com/ns/health-data-breach.html