Blue Cross and Blue Shield of Massachusetts (BCBSofMA) has just confirmed that a data breach at a business associate resulted in the exposure of the protected health information (PHI) of a number of its health plan members. The breach happened at LifeWorks US Inc, which provides services associated with the administration of the Retirement Income Trust, which consists of making payments to pension beneficiaries.
Around June 20, 2022, an ex-worker of LifeWorks emailed spreadsheets to a personal email account and duplicated the email to the private email account of another ex- LifeWorks staff. The spreadsheets had the protected health information of people who were qualified for or were getting benefits from BCBSofMA.
The former workers claimed that the spreadsheets were sent to protect the formula utilized, and that attempts were made to erase all PHI in the spreadsheets; nevertheless, selected PHI remained. The former staff stated they did not further expose the details in the spreadsheets and have already deleted the spreadsheets from their private email accounts. The spreadsheets only contained information such as names, Social Security numbers, addresses, and a few pension benefit data.
BCBSofMA has stated that the breach affected 4,855 persons and has given complimentary identity theft and credit monitoring services for 24 months to impacted persons. LifeWorks mentioned it is taking steps to stop any similar incidents.
Business Associate Ransomware Attack Affects Health Plan Members of Blue Shield of California
A Blue Shield of California (BSofC) vendor subcontractor has suffered a ransomware attack in which the protected health information of BSofC and the BSofC Promise Health Plan members were accessed or acquired. OneTouchPoint (OTP) discovered the ransomware attack on April 28, 2022. OTP was a subcontractor used by business associate Matrix Medical Network.
OTP mentioned it promptly terminated the unauthorized access to the network and launched an investigation into the security breach. Although it can’t be affirmed if files with health plan members’ PHI were viewed or obtained, the probability couldn’t be excluded. The files possibly viewed held names, diagnoses, prescription drugs, subscriber ID numbers, patient addresses, birth dates, sex, physician demographics data, advance directives, family records, social histories, allergies, vitals, immunizations, encounter information, assessment ID numbers, and assessment dates.
The data breach report submitted to the HHS’ Office for Civil Rights indicated that 1,506 health plan members were affected. Affected individuals were provided a free membership to a credit monitoring and identity theft protection service for 12 months.