I was reading yet another press release about an incident involving protected health information. This one was from Independence Blue Cross in Philadelphia. Let me start by quoting the relevant part and then I’ll meet you on the other side:
On May 8, 2020, the Independence Blue Cross Privacy Office was notified that certain member information may have been accessible for unauthorized viewing. We quickly launched an investigation to determine the nature and scope of this incident, working with a leading forensics investigation firm to confirm what happened and what information may have been affected. The investigation determined that certain Independence members used the same password credentials for multiple websites. These passwords were previously exposed through other third-party events, such as the 2018 MyFitnessPal application compromise. The passwords obtained from the third-party compromise were then used to obtain access to certain pages within Independence’s member portal between March 17, 2020, and April 30, 2020. After thorough investigation, Independence is unaware of any actual or attempted misuse of this information. In an abundance of caution, Independence is notifying affected members about this incident and will be offering access to 24 months of free credit monitoring and identity protection services.
If people reused passwords across sites, why is it Independence Blue Cross’s burden to offer them credit monitoring? Had they not reused passwords, their data would have been safe, right?
Or is Independence really responsible because they didn’t deploy 2FA and didn’t require complex or unusual passwords?
What do you think?
Update: Hours after posting the above, I found that AmeriHealth HMO, Inc. and AmeriHealth Insurance Company of New Jersey (collectively “AmeriHealth New Jersey”) issued an identical press release yesterday. So this incident may be quite big if they were hitting different insurance plans/companies during a 6-week period.