Sensitive data from Blue Shield of California vision policy holders — including Social Security numbers, birth dates and addresses — may be among confidential patient information accessed by criminal hackers, the Oakland-based health insurance giant announced this week.
The breach, which may also have included diagnosis and treatment information, resulted from a cyberattack on a widely used software tool for sending and receiving data, Blue Shield said. The insurer is among thousands of organizations affected by the hack.
Despite multiple requests, Blue Shield refused to say how many of its 4.5 million customers have vision plans and may have had their data taken.
RELATED: Victim of Blue Shield hack? Here’s what company, feds say you should do
“Blue Shield of California has followed all applicable State and Federal requirements in notifying members and regulatory agencies about data we believe to have been exposed,” the company said. Blue Shield said it had taken “immediate steps” to protect its network and that there is no indication its own systems were infiltrated.
The non-profit company cited an online news release dated Nov. 17 for more information, but on Thursday it did not appear among the news releases on the Blue Shield news web page.
According to the release, a vendor that “manages vision benefits for many of our Blue Shield members” notified Blue Shield on Sept. 1 that it had discovered Aug. 23 that hackers had “exfiltrated information” in May.
While the news release lists numerous categories of exposed information, Blue Shield said in an email that the “data impacted in the cybersecurity incident varied for individual members,” so it tailored notification letters to members accordingly.
A letter reviewed by this news organization from Blue Shield about the breach, dated Nov. 10 but not received until this week by a California customer, said information including their name, address, birth date, Social Security number and member-identity number may have been stolen.
Typically, “highly sensitive information” like the data stolen from Blue Shield ends up for sale on the illicit online marketplace known as the dark web, said Bill Budington, senior staff technologist at the San Francisco digital-privacy group Electronic Frontier Foundation.
The U.S. Federal Trade Commission warns that stolen names and Social Security numbers can be combined to allow criminals to steal victims’ tax refunds. Add a health insurance identification number and a criminal can see a doctor, get prescription drugs, buy medical devices or submit insurance claims in a victim’s name, the agency said. The U.S. Department of Justice warns that with enough stolen personal data, bad actors can make false applications for loans and credit cards in a victim’s name or withdraw money from their bank accounts.
Budington noted that Blue Shield waited weeks before issuing notifications about the breach, depriving affected members of the ability to take timely action to protect themselves from identity theft or other crimes. “Companies need to do better,” he said.
Hackers stole Blue Shield members’ information from the vision-benefits manager’s computer server running the MOVEit file-transfer tool, according to Blue Shield. MOVEit is used around the world by governments, financial institutions and companies to send and receive information, purportedly securely.
In June, a cybercriminal group known as Clop and believed by the U.S. government to be Russia-linked, announced that it had broken into MOVEit in May. New Zealand cybersecurity firm Emsisoft’s running tally indicates more than 2,600 organizations around the world had data stolen in the attack, including government-services giant Maximus and the state governments of Colorado and Maine. It’s unclear whether information taken by the hackers has been put up for sale on the dark web, Budington said.
According to Emsisoft, U.S.-based organizations make up nearly 80% of known victims. Globally, the most affected sectors are education at 40% of victims, health care at 20% and finance and professional services at 13%, Emsisoft reported.
A June lawsuit in federal court in Massachusets against MOVEit maker Progress Software described the information stolen as “a gold mine for data thieves.”
For Blue Shield, it’s the second data breach to be made public this year. In March, the insurer reported that a subcontractor to one of its providers had “suffered a security incident” in late January, with an attacker downloading files. Blue Shield members’ information possibly stolen included birth dates, addresses, genders, phone numbers and email addresses but not Social Security numbers or financial or health information, Blue Shield said.
In May 2022, the corporation reported that a subcontractor for one of its vendors had fallen victim to a ransomware attack. Numerous other security lapses and data breaches affecting Blue Shield members going back to 2013 are listed on the California Attorney General’s website.
Many other health insurers and providers were hit in the MOVEit hack, including the U.S. Centers for Medicare & Medicaid Services, which warned in July that more than 600,000 Medicare beneficiaries may have had their Social Security numbers, birth dates, addresses, medical histories and other personal information stolen. Health care software giant Welltok in October said its MOVEit server had been breached, with victims that included Sutter Health and group health plans for Stanford Health Care.
The Clop hackers earlier this year are believed to have broken into another file-transfer software tool called GoAnywhere, according to the U.S. government. San Jose-based Medi-Cal provider Santa Clara Family Health Plan said information of 276,993 members, including names, contact information, birth dates, member-identity numbers and Medi-Cal credentials may have been compromised.
In July, Tennessee-based HCA Healthcare, which owns Good Samaritan Hospital and Regional Medical Center in San Jose, said its computer system had been hacked, exposing patient names, phone numbers, birth dates and other data.