Bcbs Data Breach Exposed Patient Information

A data breach at BCBS exposed patient information, putting sensitive data at risk.

The breach occurred in 2020 and affected over 1.9 million patients.

Sensitive information such as names, dates of birth, addresses, and Social Security numbers was compromised.

BCBS reported that the breach was caused by a third-party vendor that had accessed their system without authorization.

The company claimed to have taken steps to secure the system and prevent future breaches.

In October 2009, 57 unencrypted computer hard drives were stolen from a leased call-center facility used by BlueCross BlueShield of Tennessee.

The drives contained sensitive member information, including names, Social Security numbers, diagnoses codes, dates of birth, and health plan identification numbers.

The company failed to implement adequate security measures, such as performing a required security evaluation in response to operational changes and having proper facility access controls.

As a result, the company spent nearly $17 million on investigation, notification, and protection efforts to restore member trust.

The breach was among the first major breaches to occur after the September 2009 effective date of the breach notification rule.

Anthem's investigation found that compromised information included names, dates of birth, health ID numbers, addresses, phone numbers, and email addresses.

Some Social Security Numbers were also compromised, but not all records maintained by Anthem had SSNs associated with them.

The company took steps to prevent future breaches, including encrypting all stored data in the aftermath of the breach.

The FBI has confirmed it's investigating a cyber intrusion involving Lifetime Healthcare Companies, including Excellus BlueCross BlueShield. This is a significant development in the BCBS data breach.

Excellus is cooperating fully with the FBI's investigation and has taken proactive steps to address the issue. They've moved quickly to close the vulnerability, remediate their IT systems, and strengthen their security.

The company has seen no evidence that the stolen data has been used for fraudulent purposes, but they're offering two years of free credit monitoring and identity theft monitoring services to affected victims. This is a generous offer and a good example of how companies should respond to a data breach.

Individuals who've been contacted by Excellus should take steps to monitor and safeguard their personally identifiable information. This includes reporting any suspected instances of identity theft to the FBI's Internet Crime Complaint Center.

The FBI works extensively with private industry to raise awareness of cyber threats, and they've issued breach-related warnings to the healthcare sector. This is a good reminder that cyber intrusions are a significant threat and that companies need to be vigilant in protecting their systems.

The Blue Cross and Blue Shield of Alabama computer systems were not attacked, but the Anthem system was the target of a sophisticated external cyber attack.

The attack on Anthem's system was not a result of a breach within Blue Cross and Blue Shield of Alabama's own systems, but rather a shared data exchange with other Blue Cross and Blue Shield Plans.

Blue Cross and Blue Shield of Alabama shares data with other Blue Cross and Blue Shield Plans to facilitate payment for services received outside of Alabama.

This data sharing is necessary for members who receive healthcare services in other states, and it's why some non-Anthem members had their personal information impacted.

The data impacted included current or former members who received healthcare services in one of the 14 states serviced by Anthem.