About 21,000 California Blue Shield customers and family members may soon receive a notice that their information was part of a breach according to a notice on Jan. 19. Blue Shield claims that the data may have been accessed between Sept. and Dec. 2015 by an “unauthorized user,” typically called “hackers or insiders who have criminal intent.” Compromised information includes name, address, date of birth, Social Security number and possibly medical records including medical identification number of anyone enrolled between Oct. 2013 and Dec. 2015.
The company said the breach occurred when a vendor who provides enrollment assistance was targeted by a telephone scam at the call center. It appears that log-in credentials of customer service reps were targeted and then abused. BlueCross/BlueShield is not a stranger to breaches. In 2015 more than 100 million customers were affected by company breaches in various regions including subsidiaries Anthem, Excellus, and Premera.
A study released at the end of Dec. 2015 by the Association for Corporate Counsel found “employee error” turns out to be the most common reason for a data breach. An example of the kind of employee error mentioned in the survey – “accidently sending an email with sensitive information to someone outside the company” has been pinpointed in studies about workplace breaches for more than 15 years. Other examples include lost laptops, storage devices and even mobile devices.
Last week Montana’s New West Health Services which offers Medicare Advantage and Medicare Supplemental Plans announced that an unencrypted laptop was stolen from an off-site location. It contained past and current information for about 25,000 customers including names, addresses, and in some cases driver’s license numbers, Social Security numbers or Medicare claim numbers. It may also have held payment information, including bank account or credit card information, as well as some health information, including birthdates, medical history and condition, diagnosis and/or prescription information.
Additionally during the week of Jan. 11 in New York, a USB drive was stolen from St. Luke’s Cornwall Hospital exposing some 29,156 patients’ personal health information (PHI). The stolen thumb drive appears to have included a file which may have contained for some patients their name, medical record number, date of service, type of imaging service received, and administrative–type information used for internal business purposes. The thumb drive did not contain any Social Security numbers or electronic medical records, which remain secure.
In Indiana a missing storage device at Indiana University Health Arnett Hospital may have exposed 29,324 patients’ data. The hospital sent out notification letters explaining it contained patient names, ages, dates of birth, home phone numbers, medical record numbers, service dates, diagnosis information, and treating physicians of people who visited the emergency department between Nov. 1, 2014 and Nov. 20, 2015. As with BlueCross, this is not the first time Arnett Hospital had a breach due to lost equipment. In May 2013 IU Health Arnett was compelled to notify more than 10,000 patients when an unencrypted laptop was stolen.
“The richness of the information means that the cyber security threat to healthcare has increased,” said Michael Ebert, KPMG partner and healthcare leader at the firm’s Cyber Practice, in their 2015 Cyber Healthcare Survey. “The magnitude of the threat against healthcare information has grown exponentially, but the intention or spend in securing that information has not always followed.
“A hospital typically has some tough choices when it comes to investing,” Ebert says. “If it has a million dollars it is more likely to spend on patient care and saving lives before protecting their data.”