Melissa Burden reports:
Blue Cross Blue Shield of Michigan is notifying about 6,500 members whose personal, but non-medical information was exposed on a third-party website, the insurer said today.
The nonprofit health insurer said the breach involved a website created by Harper Woods-based Tstream Software, which was doing work on behalf of Warren-based Agent Benefits Corp., an insurance agency that works with insurance agents to enroll individuals under 65 in individual Blue Cross products.
There is no evidence the information — which included names, addresses, birthdates and Social Security numbers of people applying for individual health insurance from 2006 to 2098 (sic) — was used inappropriately, said Helen Stojic, a Blue Cross spokeswoman.
“We’re in the process of mailing the members letters,” Stojic said. “As a precautionary measure, we’re offering credit protection services for a year.”
The Blues learned of the issue on Nov. 17 when a member reported she found personal information about herself after searching the Internet for her name. Agent Benefits and Tstream Software quickly shut down the site when the Blues requested it, and Stojic said the breach was reported to the U.S. Department of Health and Human Services.
It also sought and received an injunction in Wayne County Circuit Court to make sure the companies preserved data and allowed the Blues full access to data that was on the website, Stojic said.
Members who were affected can call (866) 519-5876 with questions.
Source: The Detroit News
This breach report is interesting to me for two reasons:
1. BCBS named names instead of trying to shield the contractors.
2. They sought an injunction to preserve data so that they could determine what was exposed.
Why did they need an injunction? Don’t they trust their contractor?
And of course, once again we see a breach is discovered by a member of the public. Maybe routine security checks should include randomly pulling a name and googling it to see if anything shows up that shouldn’t.
So far, there’s no indication of when the breach occurred. We may have to wait for the report to HHS to become public to find that out. There’s no notice on the BCBSM web site linked from the home page at this time.
Update: The incident now appears on HHS’s breach tool web site. Curiously, their report to HHS indicates that 2,979 patients were affected (not 6,500). I’m not sure which is the more current number. The HHS log indicates that the breach occurred on or about November 17, but from the media report, that was the day they learned of the problem, not when it actually occurred. So we still don’t know for how long records were exposed and indexed in search engines.