For information on the Feb. 2015 Anthem, Inc. data breach, click here.
Thousands of Blue Cross Blue Shield patients were affected by a patient data stolen from a network server, as the Anthem Blue Cross Blue Shield of Indiana, Anthem Blue Cross Blue Shield of Ohio, and Empire Blue Cross Blue Shield of Indiana were all connected to the server. But this case shows that there’s often more to a health data breach story than just what’s conveyed in the Department of Health and Human Services (HHS) Breach Notification Tool, which tallied the number of patients at just more than 4,800. Anthem Blue Cross Blue Shield alone reported that 6,000 patients’ data may have been potentially impacted.
PHIPrivacy.net reports that the source of the breach was solutions provider Connextions, which Blue Cross Blue Shield uses for call-center services. The patient data was compromised between Nov. 1, 2011 and Oct. 1, 2012 and while HHS described the breach as a “theft, unauthorized, access/disclosure” of the data, Connextions hasn’t provided many details on the breach. Instead it was Anthem Blue Cross Blue Shield’s parent company (Wellpoint) that told Social Security Administration (SSA) investigators of a former Connextions employee stealing Social Security numbers from Anthem patients.
“There are indications that the employee may have conveyed some of this information to third parties who are the subject of an ongoing criminal investigation. This individual’s employment with Connextions was terminated immediately upon Connextions becoming aware of the incident,” Cindy Wakefield told PHIprivacy.net.
Wakefield went on to say that Anthem determined there have been four patients whose data has been tampered with, though it’s unclear how exactly their information has been abused. Anthem has already reached out to these patients to offer them free identity protection services and sent out letters to the 6,000 patients whose data may be part of the breach, even though it believes only a small number of patients has their data compromised.
Here is yet another example of the perils in sending patient data down-stream to contractors, especially for a large health insurer such as Blue Cross Blue Shield. While it looks like Connextions does a lot of business with healthcare insurers, as it ironically boasts being able to deliver 75 percent Health Risk Assessment completion rates on its website, it clearly didn’t have the necessary physical, technical or administrative safeguards in place to prevent this breach.