The website of Blue Cross of Idaho was hacked resulting to the access of its member portal by an unauthorized person who viewed the protected health information (PHI) of some members.
Blue Cross of Idaho is a large health insurance company in Idaho and serves about 560,000 Idahoans. Executive Vice President of Blue of Cross, Paul Zurlo, stated that about 5,600 persons or 1% of Blue Cross members were affected by the breach.
The security breach happened on March 21, 2019 but was identified the next day. In the time period that the portal was accessible, the hacker viewed the provider remittance files and tried to reroute financial transactions.
When the breach was discovered, Blue Cross of Idaho blocked the unauthorized access and made the portal secure from further document access to avert financial fraud. The FBI received the incident report and the investigation is still ongoing. The health insurance provider is cooperating with internal and external financial experts and cybersecurity experts to check the patient portal and know if there were fraudulent financial transactions. The experts are monitoring all system transactions to make sure they are legit.
There were no bank account details, debit/credit card numbers, Social Security numbers and driver’s license numbers contained in the remittance documents. The limited compromised data only included names, patient account numbers, enrollee numbers, claims numbers, payment information, procedure codes, service provider names, and service dates.
Even if financial data was not compromised, the members affected by the breach were instructed to watch out for fraudulent activities in their credit card, bank account and other financial statements. Explanation of benefits statements must also be reviewed in case services that were not provided become listed.
After the exposure of sensitive data, it is recommended to provide free credit monitoring and identity theft protection services. In case of a data breach and exposure of Social Security numbers, financial details, or driver’s license numbers, those services are normally made available for a year for free.
Although highly sensitive data was not compromised and there seems to be no attempt of PHI misuse, Blue Cross of Idaho is providing to affected members free credit monitoring and identity theft protection services for three years.
Blue Cross of Idaho will likewise send to all affected persons new ID cards with another membership ID number in the next few weeks. System monitoring is continuous to ensure its security and the safety of all members’ personal data.