Connextions, a technology and solutions provider providing call-center services for health insurers, reportedly had a long-running breach that affected over 4,800 patients insured by Anthem Blue Cross Blue Shield of Indiana, Anthem Blue Cross Blue Shield of Ohio, and Empire Blue Cross Blue Shield of Indiana.
According to HHS’s breach tool, which first made me aware of the incident, the breach occurred on or about November 1, 2011 and continued through October 1, 2012. Given HHS’s hopelessly broad reporting system, all I could tell from their entry was that the insurance companies reported the incident as “Theft, Unauthorized, Access/Disclosure” of data located on a network server. But that could mean so many different things.
Asked to provide more details on the breach, Connextions responded to PHIprivacy.net that they “cannot discuss details” but
We take very seriously our responsibility to protect consumer information, and have taken additional steps to reinforce our rigorous information security policies and practices. We have been cooperating with authorities on this matter.
What they wouldn’t tell PHIprivacy.net, the insurers did. In a statement to PHIprivacy.net, a spokesperson for Wellpoint (Anthem’s parent company) explained that an employee of Connextions confessed to Social Security Administration (SSA) investigators that she took Social Security numbers, including those from members of Anthem Blue Cross and Blue Shield.
“There are indications that the employee may have conveyed some of this information to third parties who are the subject of an ongoing criminal investigation. This individual’s employment with Connextions was terminated immediately upon Connextions becoming aware of the incident,” Cindy Wakefield informed PHIprivacy.net.
“Anthem Blue Cross and Blue Shield has worked diligently since discovery of this matter to identify all members whose information may have been impacted by the Connextions’ employee. While the investigation is ongoing, four members have been identified as impacted to date. Anthem Blue Cross and Blue Shield is in the process of contacting these members to offer them free identity theft protection service. Additionally, Anthem Blue Cross and Blue Shield will provide notices to approximately 6,000 members whose information could have been impacted, offering them free identity theft protection service. We believe the number of impacted members is much smaller than the number of members we are notifying,” she adds.
The 6,000 is more than the total of 4,814 patients reported on HHS’s breach tool for the three insurers.
Wakefield was not able to say what type of impact the four members had experienced – whether it was new account fraud, tax refund fraud, or some other type of impact. Although Anthem Blue Cross and Blue Shield and Connextions are cooperating fully with the law enforcement agencies investigating the matter, they are not aware of the details of the investigation.