The Blue Shield of California data breach
Blue Shield of California has recently sent letters to over 650,000 Blue Shield of California members advising them about a significant data breach compromising their health-related information.
Initial discovery and impact of the data breach
According to Blue Shield, on September 1, 2023, Blue Shield received notice from one of its vendors that manages vision benefits for many of its Blue Shield members. That information related to member eligibility, authorized third parties, and vision claims processing had been accessed by an unauthorized third party through their file transfer service MOVEit application.
The cyberattack occurred due to a vulnerability that was exploited by cybercriminals, which has affected over 50 million individuals nationwide. It has been determined that the unauthorized third party exfiltrated information from the server on May 28, 2023, and May 31, 2023.
The breach has been reported to the HHS’ Office for Civil Rights in two separate breach reports, one involving the data of 636,848 Blue Shield of California plan members and another that has affected 26,523 Blue Shield of California or Blue Shield of California Promise Health Plan members who receive vision insurance benefits through Blue Shield.
Blue Shield’s response to the breach
According to Blue Shield of California, upon detection of the breach, the vendor responsible for this data immediately took the server offline, launched an investigation into the incident, engaged a cybersecurity firm and reported the matter to the FBI. The vendor has rebuilt the MOVEit system in accordance with gold standard build requirements. Before reactivating the system, the vendor undertook several technical measures to validate security controls put in place.
However, Blue Shield did not notify impacted individuals for months, until beginning on November 17, 2023.
Individual notices have just been mailed out to impacted consumers over the past month, even though Blue Shield found out about this attack back in September 2023.
Personal information at issue in the breach
In the data breach incident letter sent out by Blue Shield of California, a significant amount of personal data was reportedly exposed.
According to Blue Shield,
“Following a detailed analysis and review of all potentially compromised files, Blue Shield recently determined that the information affected may have included: member name, member date of birth, address, subscriber ID number, subscriber name, subscriber date of birth, subscriber Social Security number, group ID number, vision provider’s name, patient ID number, vision claims number, vision related treatment and diagnosis information, and vision related treatment cost information.”
Personal data potentially disclosed in the breach
- Names: Affected individuals had their full names compromised.
- Social Security Numbers: One of the most sensitive pieces of information, Social Security numbers, were part of the breach, raising concerns about the potential for identity theft.
- Addresses: The leaked data included street addresses, which adds to the risk of fraud.
- Birth Dates: Dates of birth were exposed, providing a crucial element that often accompanies names and Social Security numbers in identity verification processes.
- Subscriber ID Numbers: Specific identifiers assigned to individuals within Blue Shield’s systems were also disclosed.
- Diagnosis and Treatment and Cost Information: Patients’ diagnoses and details about specific treatments, which are defined under state and federal law as protected health information and reveal sensitive health-related details, were included in the breached data.
- Health Plan Information: Information pertaining to affected individuals’ health insurance plans was compromised.
Individuals affected by the breach are advised to be vigilant; they should monitor their credit reports and may consider enrolling in credit monitoring and identity restoration services provided to mitigate potential damages.
In the wake of the Blue Shield of California data breach, investigations have been launched and protective measures initiated to bolster security and to support affected individuals.
The Federal Bureau of Investigation (FBI), along with third-party cybersecurity experts, are probing the breach at Blue Shield California. The primary focus is to trace and identify the hackers responsible for the attack that compromised personal information.
The investigation also is likely scrutinizing the security measures in place prior to the attack at both Blue Shield of California and its vendor.
Blue Shield warns its members to “remain vigilant”
According to Blue Shield of California, “a dedicated call center has been established to answer questions. If you have any questions regarding this incident or the services available to you, please call 1- 866-983-2632 Monday through Friday from 8:00am to 7:00pm Central Time, excluding major U.S. holidays.”
Blue Shield has also stated that “as a precautionary measure, we recommend that you remain vigilant by reviewing your credit reports and account statements closely. If you detect any suspicious activity on an account, you should promptly notify the financial institution or other company with which the account is maintained. You also should promptly report any fraudulent activity or any suspected incidents of identity theft to proper law enforcement authorities.”
Blue Shield also suggests obtaining copies of your credit reports and reviewing them carefully. “Look for accounts or credit inquiries that you did not initiate or do not recognize. Look for information, such as home address and Social Security number, that is inaccurate. If you see anything you do not understand, call the credit reporting agency at the telephone number on the report.”
The notification letter states that Blue Shield is offering complimentary credit monitoring and identity restoration services through Kroll. The letter contains instructions and deadlines for activating this service.
Your privacy rights under California law
Consumers impacted by this data breach should promptly consult a lawyer to explore their legal rights concerning privacy under California law. With the potential risk of sensitive information exposure, seeking legal advice is crucial to ensure one’s privacy rights are protected.
Lawyers specializing in this area can provide valuable guidance on potential legal action and help consumers understand the scope of their rights and possible compensation. It is essential for affected individuals to act swiftly and assertively to safeguard their privacy in the wake of this breach.
In California, consumers have specific legal and privacy rights, especially in data breaches. If you are a California resident and received a Recent Notice of Data Breach from Blue Shield of California, you may be entitled to between $100 and $750 or your actual damages, whichever is greater.
If your medical information for compromised, under the California Confidentiality of Medical Information Act, you may be entitled to $1,000 and your actual damages resulting from the negligent release of your confidential information.
Notice of data breach filed with the State of California
If you recently received a Data Breach Notice from Blue Shield of California and are concerned about this breach of your personal data and what your options are, fill out the following form or call us at 1-844-BREACH8 (1-844-273-2248).
Get a FREE privacy rights consultation
Confidential • No cost • No obligation