Blue Cross Blue Shield of Michigan is a medical
insurer located in MI. Their clients are varied, work for employers- small to
large-sized, and are located through the state.
Issue
BCBS uses contractors for various roles throughout the company. One vendor
is COBX Co. COBX is a wholly-owned subsidiary of BCBS. The subsidiary is tasked
with the Medicare Advantage Services for its clients. An employee of COBX had
their laptop stolen on October 26, 2018. BCBS of Michigan notified
approximately 15,000 Medicare Advantage members of a potential breach. The
notification was done via letter. While this is not a good thing, it is
pertinent that at least the laptop was encrypted and did have the password
required. Normally, this would be fine if the encryption was above a certain
baseline protocol. The problem was the employee’s credentials could have been
compromised, meaning the person with the laptop would still be able to access
the data.
Data
The affected BCBS customer’s social security numbers and financial
information was not accessible from the stolen laptop, fortunately. The data
that was available was includes the customer’s first name, last name, date of
birth, gender, medication, diagnosis, provider information, and enrollee
identification numbers.
Remediation
There had been no direct evidence the customer’s data had been accessed.
With this type of issue, although there is no direct type of evidence of this
being used for malicious means, it does not mean it has not been used and no
guaranty it won’t be used in the near future. BCBS of Michigan noted there is a
low chance of identity theft due to the nature of the data involved. BCBS is
offering the affected parties AllClearID identity protection services. The term
for this service is two years and is free to the customers potentially at risk.
The contractor involved did have his credentials changed once the issue came to
light. BCBS of Michigan is working with COBX in reviewing its policies and
procedures. They are also putting additional safeguards in place.
Comments, Concerns, etc.
The laptop required a password for access and was encrypted, which
required another password. Normally, this may be a non-issue, as with most
industry-accepted encryption protocols to brute force this or decrypt the data
would require several lifetimes. Due to the announcement with the notice of the
contractor’s credentials may have been compromised, this nearly leads me to
believe the credentials may have been openly accessible as in written on a post-it
note on the laptop or otherwise easily acquired.
Resources
BCBS of
Michigan. (2019, January 2). Data breach affects 15,000 medicare customers of
blue cross blue chield of Michigan. Retrieved from https://www.cisomag.com/data-breach-affects-15000-medicare-customers-of-blue-cross-blue-shield-of-michigan/
Dissent. (2019, January 3). Double whammy: BCBS
of Michigan policyholders hit by two breaches in December. Retrieved from https://www.databreaches.net/double-whammy-bcbs-of-michigan-policyholders-hit-by-two-breaches-in-December/
Haefner, M. (2018, December 31). BCBS of Michigan:
Data breach may have affected 15,000 medicare members. Retrieved from https://www.beckershospitalreview.com/player-issues/bcbs-of-michigan-data-breach-may-have-affected-15-000-medicare-members.html
HIPAA Journal. (2018, December 31). 15,000
customers notified about blue cross blue shield of Michigan data breach. Retrieved
from https://www.hipaajournal.com/15000-customers-notified-about-blue-cross-blue-shield-of-michigan-data-breach/
Livengood, C. (2018, December 28). Blue cross alerts
15,000 medicare customers of potential data breach. Retrieved from https://www.crainsdetroit.com/insurance/blue-cross-alerts-15000-medicare-customers-potential-data-breach
No comments:
Post a Comment