Courtney Perkes reports:
Blue Shield of California announced Thursday that personal information from nearly 21,000 individual and family plan customers was accessed in a security breach late last year.
The information included names, addresses, dates of birth and Social Security numbers.
Read more on Orange County Register.
This incident does not appear to be on HHS’s public breach tool yet, but a statement on Blue Shield’s web site says that the incident affected a “small number of Individual and Family Plan (IFP) members” who enrolled in coverage between October 2013 and December 2015.
Their notification letter to affected members begins:
In December of 2015, Blue Shield was notified by our vendor that data about you may have been accessed by an unauthorized user who gained access to the vendor’s data systems without permission. We believe that the unauthorized access happened between September and December of 2015 and was the result of log-in credentials for certain Blue Shield customer service representatives being misused. No data systems at Blue Shield were impacted. We take this issue seriously and regret the concern it may cause.
Our investigation determined that information about you, which may have been accessed, included your name, address, date of birth, and Social Security number.
Affected individuals were advised how to protect themselves and offered one year of Experian ProtectMyID services.
Although the notification letter might suggest that the CSRs’ login credentials had been hacked, Blue Shield’s statement to OC Register suggests that the call center employees fell for a scam. The vendor was not named in the notification or the media report.