Oakland-based health insurance giant, Blue Shield of California, disclosed a significant breach this week, revealing potential exposure of sensitive data belonging to vision policy holders. The compromised information, suspected to have fallen into criminal hands, encompasses Social Security numbers, birth dates, addresses, and possibly diagnosis and treatment details.
The breach, attributed to a cyberattack targeting a widely utilized data transmission software, extends its impact beyond Blue Shield, affecting numerous organizations. Despite inquiries, Blue Shield declined to specify the number of impacted customers among its 4.5 million with vision plans.
In response, Blue Shield stated adherence to State and Federal regulations in notifying affected members and regulatory bodies. The company asserted immediate measures to safeguard its network, affirming no evidence of infiltration into its systems.
The breach’s genesis traces back to a vendor managing vision benefits for Blue Shield members, alerting the insurer on September 1 about the data exfiltration occurring in May, as disclosed in a November 17 online release. However, this release was notably absent from the company’s news web page on Thursday.
Individualized impact variations prompted tailored notification letters to affected members, detailing potential data exposure. A customer in California received a letter dated November 10, indicating the possible compromise of personal information, including name, address, birth date, Social Security number, and member-identity number.
Bill Budington from the Electronic Frontier Foundation highlighted the potential fate of such “highly sensitive information” in illicit online markets like the dark web. The compromised data, when combined, poses risks such as tax refund theft and fraudulent medical claims, cautioning about the severe consequences outlined by the U.S. Federal Trade Commission and Department of Justice.
Citing delays in notifications, Budington emphasized the imperative need for timelier action from companies in safeguarding affected individuals against identity theft and related crimes.
Blue Shield confirmed hackers accessed members’ information via the MOVEit file-transfer tool’s server, a tool utilized globally for secure data exchange. The cybercriminal group Clop, believed to have links to Russia by the U.S. government, claimed responsibility for breaching MOVEit in May, impacting over 2,600 organizations worldwide, including governmental entities and corporations.
Emsisoft’s data revealed a predominance of U.S.-based victims in the attack, primarily in the education, healthcare, finance, and professional service sectors. A lawsuit against MOVEit maker Progress Software described the stolen information as a “gold mine for data thieves.”