Blue Cross of Idaho is notifying 5,600 individuals that a data breach at their facility has compromised their protected health information (PHI).
Blue Cross of Idaho is a not-for-profit health insurer, with around 560,000 customers, making it one of the largest health insurance organisations in the state of Idaho. Paul Zurlo, the Executive Vice President, has said that the breach only affects 1% of its members.
The breach was discovered on March 22, 2019. Blue Cross immediately launched an investigation to assess the scope of the breach and determine how it first occurred. Investigators discovered that an unauthorised individual hacked its website the day before, on March 21, gaining access to its member portal. The unauthorised individual could access and view the PHI of some of the health insurer’s customers on documents such as provider remittance documents.
During the period in which the unauthorised individual had access, they also attempted to reroute provider financial transactions for their own financial gain.
When the breach was discovered, Blue Cross of Idaho took steps to secure its online portal and revoke the unauthorised individual’s access.
Blue Cross of Idaho reported the incident to the FBI. The investigation remains ongoing. They have contracted a third-party external cybersecurity organisation to assist their internal with the investigation, and assess the security of the portal. Blue Cross has also hired financial experts to determine if any financial transactions that have taken place. All transactions going through the system are being monitored to ensure they are legitimate.
The remittance documents which the hacker access contained information such as names, ID numbers, patient account numbers, claims numbers, payment data, procedure codes, provider names, and dates of service. The breach did not affect Social Security numbers, driver’s license numbers, bank account information or debit/credit card numbers.
Blue Cross has advised all affected individuals to carefully monitor their bank account, credit card, and other financial statements for suspicious activity, even though financial information was not exposed. Customers should also check the explanation of benefits statements for any signs of fraudulent activity.
Blue Cross of Idaho and their investigators have not uncovered any signs that the hacker has misused the customer data.
Although the breach did not compromise Social Security or other information that is commonly used in identity theft, Blue Cross of Idaho is offering credit monitoring and identity theft protection services to affected members for three years.
“We take consumers’ privacy very seriously, and we are committed to keeping our members’ data secure,” said Blue Cross of Idaho Executive Vice President Paul Zurlo.
Blue Cross of Idaho is sending new ID cards with different membership ID numbers to all affected individuals in the next few weeks. Their IT security staff continues to monitor the security of its system to ensure that members’ personal information is safe and secure.