- Blue Cross and Blue Shield of Rhode Island (BCBSRI) said that a health data breach of PHI affecting 1,567 people was caused by a vendor responsible for sending benefits explanations to members, the Providence Journal reported.
The benefits explanations, or summaries, were sent to the wrong members in the same household or on the same family healthcare plan.
The summaries included member’s name, the BCBSRI ID number, service provider, type of service provided, and cost of claim.
“A member’s social security number and date of birth are not included in these summaries,” the insurer said in a statement obtained by the newspaper.
“We believe the risk of identity theft as the result of this issue is very low because social security number was not included and the person receiving the information was a family member or person covered on the same family policy,” it added.
BCBSRI said that it hired a vendor to combine the benefit explanations for some members covered on the same policy to reduce the number of summaries being sent out. However, in July, BCBSRI discovered that the vendor was combining the benefit explanations incorrectly, resulting in summaries being sent to the wrong family member or other individual covered on the same policy.
“We immediately directed the vendor to stop combining healthcare services summaries. For now, members are receiving an individual summary for each service while BCBSRI explores a long-term solution that would allow services to be grouped into one summary,” the insurer said in its statement.
A few years ago, Blue Cross and Blue Shield insurers across the country were facing health data breaches of millions of members.
In 2015, four of the top ten healthcare data breaches involved Blue Cross and Blue Shield-affiliated health insurers.
The largest one by far was the Anthem breach that compromised personal information on 78.8 million members and employees. Anthem said that hackers had breached one of its databases and gained access to member and employee data including names, dates of birth, medical IDs or Social Security numbers, street addresses, and email addresses.
The second largest breach in that year involved Premera Blue Cross, where 11 million individuals were affected. Applicants' and members’ names, dates of birth, email addresses, addresses, telephone numbers, Social Security numbers, member identification numbers, bank account information, and claims information, including clinical information, were all exposed.
Premera Blue Cross, Premera Blue Cross Blue Shield of Alaska, and the health insurer’s affiliate brands Vivacity and Connexion Insurance Solutions were all potentially affected. Members of other Blue Cross Blue Shield plans who sought treatment in Washington or Alaska were also affected by the cyberattack.
The third largest breach of that year at Excellus Blue Cross Blue Shield (Excellus BCBS) potentially compromised 10 million individuals’ PHI.
Excellus BCBS announced in September that it discovered on August 5, 2015 that it had been the victim of a cyber attack.
Potentially exposed information includes individuals’ names, dates of birth, Social Security numbers, mailing addresses, telephone numbers, member identification numbers, financial account information and claims information.
“This incident also affected members of other Blue Cross Blue Shield plans who sought treatment in the 31 county upstate New York service area of Excellus BCBS,” Excellus BCBS explained. “Individuals who do business with us and provided us with their financial account information or Social Security number are also affected.”
CareFirst BlueCross BlueShield (CareFirst) was another cyber attack victim that year, announcing in May that approximately 1.1 million current and former members potentially had their information accessed.
Cyberattackers reportedly gained access to a single database. CareFirst said it used that database for members and other individuals to access CareFirst’s websites and online services.
Personal information involved in the breach included member usernames created by individuals to access CareFirst’s website, members’ names, dates of birth, email addresses and subscriber identification numbers. Social Security Numbers, medical claims information and financial information were not affected, according to the health insurer.