Topics
More on Analytics

Data breach hits Blue Shield of California vendor

Members impacted by the breach are being provided with no-cost credit monitoring and identity restoration services.

Jeff Lagasse, Editor

Photo: Al David Sacks/Getty Images

Blue Shield of California members may have had their data exposed during a data breach that occurred in late November, the insurer has revealed.

In early September Blue Shield received notification from a contracted vendor that it was the recent victim of the MOVEit secure file-transfer tool global data security incident. The vendor impacted by this incident manages vision benefits for many Blue Shield members, and it receives information related to member eligibility, authorized third parties and vision claims processing.

Blue Shield members impacted by the MOVEit file transfer tool security breach are being provided with no-cost credit monitoring with identity restoration services.

"Blue Shield takes this situation very seriously and is committed to protecting the privacy of members," the insurer said in a statement.

WHAT'S THE IMPACT?

On August 23, Blue Shield's vendor discovered that an unauthorized third party had accessed information on its MOVEit server by exploiting an unknown vulnerability in the system. The vendor immediately took the server offline, launched an investigation into the incident, engaged a cybersecurity firm and reported the matter to the FBI.

It was determined that the unauthorized third party exfiltrated information from the server on May 28 and May 31. The vendor has rebuilt the MOVEit system in accordance with gold standard build requirements, Blue Shield said. Before reactivating the system, the vendor undertook a number of technical measures to validate security controls put in place.

Following a detailed analysis and review of all potentially compromised files, Blue Shield recently determined that the information affected may have included member name, member date of birth, address, subscriber ID number, subscriber name, subscriber date of birth, subscriber Social Security number, group ID number, vision provider's name, patient ID number, vision claims number, vision related treatment and diagnosis information, and vision related treatment cost information.

There is no evidence that Blue Shield's systems and emails were ever affected or vulnerable to this attack, the insurer said.

As a precautionary measure, Blue Shield is recommending members remain vigilant by closely reviewing their credit reports and account statements. Those who believe they've been the victim of identity theft, or who believe their personal information has been misused, are encouraged to immediately contact law enforcement, the Federal Trade Commission or their state's Attorney General's office.

THE LARGER TREND

While data breaches affect all industries, healthcare suffers the largest financial hit, according to data compiled by the Ponemon Institute.

This year, the average cost of a data breach reached an all-time high of $4.4 million. That's a 2.3% increase from 2022, and, taking the long-term view, the average cost has increased 15.3% from the 2020 report.

Since 2020, healthcare data breach costs specifically have increased 53.3%, representing a considerable rise in recent years. This is the 13th consecutive year the health industry reported it had the most expensive data breaches, averaging $10.9 million in cost.

While data breach costs continued to rise, the participants were almost equally split on whether they plan to increase security investments because of a data breach. The top areas identified for additional investments included incident response (IR) planning and testing, employee training, and threat-detection and response technologies.
 

Twitter: @JELagasse
Email the writer: Jeff.Lagasse@himssmedia.com