Update: On July 27, OneTouchPoint notified the Maine Attorney General’s Office that a total of 1,073,316 people were impacted by their breach.
In June, Arkansas Blue Cross and Blue Shield disclosed a breach involving their business associate, Matrix. Matrix had been notified by OneTouchPoint of a cyberattack that occurred between April 27 and April 28. OneTouchPoint, provides printing and mailing services to health insurance carriers and medical providers. Arkansas BCBS reported that 1,423 of its members were impacted.
This month, Blue Shield of California (and BS Promise Health Plan) also revealed that some of their members had been impacted by the incident involving OneTouchPoint:
On May 20, 2022, Blue Shield learned that a subcontractor of a Blue Shield vendor, Matrix Medical Network (‘Matrix’), was the victim of a ransomware event. On April 28, 2022, Matrix’s subcontractor, OneTouchPoint (‘OTP’), detected suspicious network activity and confirmed a threat actor had infiltrated OTP’s servers. Matrix notified Blue Shield about the incident on June 16, 2022; your protected health information may have been accessed.
Blue Shield of California reported that 1,506 of their members and BS Promise Health Plan members were impacted.
This week, OneTouchPoint has issued its own notification about the incident on behalf of some covered entities. Their notification explains, in part:
What Happened? On April 28, 2022, OTP discovered encrypted files on certain computer systems. OTP immediately launched an investigation, with the assistance of third-party forensic specialists, to determine the nature and scope of the activity. The investigation determined that there was unauthorized access to certain OTP servers beginning on April 27, 2022. On June 1, 2022, OTP learned that it would be unable to determine what specific files the unauthorized actor viewed within the OTP network. OTP provided a summary of the investigation to its customers beginning on June 3, 2022.
[…]
While the specific data elements vary for each potentially affected individual, the scope of information potentially involved includes an individual’s name and one or more of member identification number, information provided as part of a health assessment, address, date of birth, description of service, date of service and diagnosis codes. One covered entity had Social Security numbers of members impacted.
Their notice does not identify what ransomware group or threat actor was responsible and whether there was any ransom demanded, negotiated, or paid. The incident has not shown up yet on any dedicated dark web leak sites (or if it has, DataBreaches has not spotted it yet).
The website version of their notice provides the list of covered entities on whose behalf they are providing notice:
Common Ground Healthcare Cooperative
Banner Medicare Advantage Dual
Blue Cross Blue Shield of Arizona
MediSun, Inc. d/b/a Blue Cross Blue Shield of Arizona Advantage
Health Choice Arizona, Inc
Blue Cross Blue Shield of Massachusetts
Blue Cross Blue Shield of Rhode Island
Blue Cross Blue Shield of South Carolina Commercial
BMC HealthNet Plan / Well Sense Health Plan
Cambia Health Solutions
CareFirst Advantage
Caresource
Commonwealth Care Alliance
ElderPlan, Inc
EmblemHealth Plan, Inc.
Florida Blue
Geisinger
Health Alliance Plan of Michigan
HAP Midwest Health Plan
Health First
Health New England
Health Plan of San Mateo
HealthPartners
Highmark Health
Humana
Kaiser Permanente
KS Plan Administrators, LLC
MVP Health Care
Pacific Source
Premera Blue Cross Medicare Advantage Plans
Prime Time Health Plan
Point32Health
UCare Minnesota
UPMC
Matrix Medical Network
ElderPlan, Inc.
Health New England
Banner Medicare Advantage Dual