Blue Cross Blue Shield of Minnesota, the state’s biggest health insurance provider, is currently working to resolve about 200,000 unaddressed vulnerabilities identified on its servers, some of which are over ten years old.
In August 2018, cybersecurity engineer Tom Yardic at BCBS Minnesota found that its servers had not been applied with patches, even if there were critical or severe vulnerabilities. The engineer talked with the BCBS Minnesota executives to bring up the issue, yet there seems to be no action taken.
About one month later, Yardic notified the BCBS Minnesota board of trustees in order to get action done to deal with the flaws, a recent Star Tribune report stated.
The newspaper report stated that there was evidence obtained which revealed BCBS Minnesota had not addressed the vulnerabilities for several years. Close to 200,000 severe or critical vulnerabilities were not addressed on roughly 2,000 servers. About 44% of the vulnerabilities were over 3 years old and about 12% of the vulnerabilities were over 10 years old.
BCBS Minnesota insures about 3.9 million people. The inability to fix the vulnerabilities in a sensible period of time has put their sensitive data in danger.
The Star Tribune talked with the BCBS Minnesota officials who affirmed that they are now doing something to resolve the vulnerabilites and said they are striving to fix as many of the vulnerabilities as they can before the year ends. As per the Star Tribune, Minnesota Blue Cross didn’t argue the correctness of the number of previous vulnerabilities but said that the current number of unaddressed vulnerabilities is significantly lower, particularly on workstations.
It isn’t unusual for a cybersecurity engineer to take steps to correct the flaws. It is shocking that the company took so long to do something especially after knowing that the cyberattacks on Premera Blue Cross, Anthem Inc., and Excellus BCBS in 2015 led to the theft of over 99.8 million Americans’ protected health information (PHI).
What is surprising considering the large number of unaddressed vulnerabilities is that BCBS Minnesota has not reported any data breach ever since 2009 when the HHS Office for Civil Rights began publishing data breach summaries of on its breach portal.