On April 22, I noted that HHS had added a report from Blue Cross And Blue Shield Of Kansas City (“Blue KC”), but that I had been unable to find any information on the “unauthorized access/disclosure” breach that reportedly affected 2,546.
It turns out that this was an insider breach involving employee wrongdoing.
On April 11, 2014, attorneys for Blue KC notified the Maryland Attorney General’s Office that in February 2014, Blue KC received reports from two members that there had been unauthorized charges on credit cards they had recently used to make payments to Blue KC by phone. Blue KC investigated, and on February 26, determined that an employee violated Blue KC’s policies and procedures and “may have put the financial information of a very limited number of members at risk.”
There was no compromise of Blue KC’s system and it seems that the only members affected are those who would have given this one unnamed employee their names, addresses, and credit card or bank account information to make premium payments over the phone.
Those affected were offered services with AllClearID as part of mitigation efforts.
The employee was terminated and reported to law enforcement.
You can read the notification to Maryland and affected members here (pdf).