BenefitMall (operating as Centerstone Insurance and Financial Services) is a national provider of payroll, employee benefits administration, and HR services whose clients include major health insurers. In late 2018, the company suffered a prolonged email compromise after employees fell victim to phishing attacks that exposed their email login credentials.

The breach window ran from approximately June 2018 through October 19, 2018, when BenefitMall detected and contained the intrusion. During that period, attackers had persistent access to employee email accounts containing sensitive personal and financial information submitted by insurance members and covered employees of BenefitMall’s insurer clients.

Exposed data included names, addresses, Social Security numbers, dates of birth, bank account numbers, and insurance premium payment information. The breadth of the data reflected BenefitMall’s role as a benefits administrator with access to deeply sensitive HR and financial records on behalf of client companies.

Downstream victims included customers and covered employees of Highmark Blue Cross Blue Shield, Aetna, EmblemHealth, Humana, and UnitedHealth Group. Aetna, for example, received notification from BenefitMall on December 18, 2018, and subsequently began mailing letters to affected members and offering two years of free credit monitoring.

The total number of affected individuals was reported at approximately 111,000, though some state-level notifications cited smaller figures — Delaware authorities reported around 650 affected residents. The true figure likely varied significantly across insurers and states.

In response, BenefitMall implemented multi-factor authentication on employee email accounts and conducted internal phishing awareness training. The company also cooperated with affected insurers’ own investigations and regulatory notifications.

The incident illustrates how a single mid-tier benefits administration firm with access to data across dozens of major insurer clients represents a high-value, high-impact target. A successful phishing campaign against back-office staff — rather than a direct attack on the insurers themselves — achieved access to the same sensitive member data the insurers hold.