Muncie’s Meridian Health Services latest company hit by W-2 ‘phishing’ scam

MUNCIE, Ind. – Yet another Indiana company has fallen victim to a data breach.

A company spokeswoman said all W-2 forms at Meridian Health Services in Muncie have been compromised. The problem affects about 1,200 employees.

Several Indiana companies have been the victims of similar breaches in recent weeks after being targeted in “phishing” scams, including Scotty’s Brewhouse, Monarch Beverage and American Senior Communities.

In those cases, the companies were tricked into disclosing the personal tax information of workers. Officials with Meridian Health said the same thing happened to them; an employee mistook a phishing email scam for a “legitimate internal company request from a high level executive.”

As a result, W-2 information including names, addresses, wages, taxes and social security numbers ended up being disclosed. The breach involved everyone employed by Meridian during the 2016 calendar year.

Meridian will provide comprehensive ID theft protection for two years for employees at no charge. Workers learned about the breach on Friday.

The company said no patient data had been compromised.

Tackling cyber crimes 

As cyber crimes become more common, the need for experts in the field continues to grow. Indiana University is launching a new master's degree in cyber-security risk management to fill the void.

"It’s an increasingly complex threat environment that companies are facing," said Scott Shackelford, associate professor at the IU Kelley School of Business.

Unlike other cyber security degrees, this curriculum will focus on policy, legal and ethical cyber-security questions. The program will bring together experts from the Kelley School of Business, Maurer School of Law and School of Informatics and Computing.

"Anybody going into management needs to have some knowledge of cyber security nowadays," Shackelford said.

Shachelford said having the right people on staff can help companies safeguard their files and ensure employees are well-trained.

"Even if something is from someone you know and work with everyday,  if it's for a request that doesn’t look quite right or doesn’t have context, reach out to them first," Shackelford said in regards to phishing email scams. "We have to do a little more internal risk management as well."

Shackelford adds companies should be informed, be organized and be proactive when it comes to cyber-security.

The deadline to apply for the new master's program is May 15. More information here.