Employee error exposed data of 16,000 Blue Cross patients online for 3 months

By Jessica Davis
09:30 AM
Share
An employee uploaded a file containing member information to a public-facing website in April, but officials did not discover the error until July.
Blue Cross Blue Shield building exterior with logos

Philadelphia-based Independence Blue Cross is notifying 16,762 patients -- about 1 percent of its members -- that their data was exposed online for a number of months, due to an employee uploading a member file online.

Independence Blue Cross Privacy Office was notified on July 19 that member information was accessible online to the public. After an investigation alongside a forensics firm, officials determined an employee uploaded a file to a public-facing website.

[Also: The biggest healthcare data breaches of 2018 (so far)]

The data was publically accessible between April 23 and July 20. Officials could not rule out access. Upon discovery, officials permanently removed the file from the website. Further, officials said they also “ensured that the appropriate action was taken with the employee responsible.”

No details were provided on whether the employee intentionally exposed the data, or whether the incident was accidental.

The breached information included names, dates of birth, diagnosis codes, provider details and information used for claim processing purposes. While officials said that no Social Security numbers, financial data or credit cards were included in the breach, cybercriminals can use this type of data for medical fraud.

The breach serves as a reminder for organizations to have proper access controls and network monitoring in place to either prevent these types of errors or to quickly detect misconfigured or improperly uploaded data.

Independence Blue Cross is an independent licensee of BlueCross BlueShield, which has been hit with multiple breaches across its member associations. In fact, Excellus BlueCross

BlueShield was hit with a cyberattack that breached the data of 10.5 million patients in 2015.

CareFirst BlueCross BlueShield was the most recent insurer to report a breach, after a phishing attack breached the personal data of 6,800 in April 2018.

Healthcare Security Forum

The Boston forum to focus on business-critical information healthcare security pros need Oct. 15-16.

Twitter: @JF_Davis_
Email the writer: jessica.davis@himssmedia.com