Sensitive data from Blue Shield of California vision policy holders - including Social Security numbers, birth dates and addresses - may be among confidential patient information accessed by criminal hackers, the Oakland-based health insurance giant announced this week.
The breach, which may also have included diagnosis and treatment information, resulted from a cyberattack on a widely used software tool for sending and receiving data, Blue Shield said.
Despite multiple requests, Blue Shield refused to say how many of its 4.5 million customers have vision plans and may have had their data taken.
A letter reviewed by this news organization from Blue Shield about the breach, dated Nov. 10 but not received until this week by a California customer, said information including their name, address, birth date, Social Security number and member-identity number may have been stolen.
The U.S. Federal Trade Commission warns that stolen names and Social Security numbers can be combined to allow criminals to steal victims' tax refunds.
Add a health insurance identification number and a criminal can see a doctor, get prescription drugs, buy medical devices or submit insurance claims in a victim's name, the agency said.
The U.S. Department of Justice warns that with enough stolen personal data, bad actors can make false applications for loans and credit cards in a victim's name or withdraw money from their bank accounts.
Budington noted that Blue Shield waited weeks before issuing notifications about the breach, depriving affected members of the ability to take timely action to protect themselves from identity theft or other crimes.
Hackers stole Blue Shield members' information from the vision-benefits manager's computer server running the MOVEit file-transfer tool, according to Blue Shield.
MOVEit is used around the world by governments, financial institutions and companies to send and receive information, purportedly securely.
In June, a cybercriminal group known as Clop and believed by the U.S. government to be Russia-linked, announced that it had broken into MOVEit in May. New Zealand cybersecurity firm Emsisoft's running tally indicates more than 2,600 organizations around the world had data stolen in the attack, including government-services giant Maximus and the state governments of Colorado and Maine.
It's unclear whether information taken by the hackers has been put up for sale on the dark web, Budington said.
Globally, the most affected sectors are education at 40% of victims, health care at 20% and finance and professional services at 13%, Emsisoft reported.
For Blue Shield, it's the second data breach to be made public this year.
Blue Shield members' information possibly stolen included birth dates, addresses, genders, phone numbers and email addresses but not Social Security numbers or financial or health information, Blue Shield said.
Numerous other security lapses and data breaches affecting Blue Shield members going back to 2013 are listed on the California Attorney General's website.
Many other health insurers and providers were hit in the MOVEit hack, including the U.S. Centers for Medicare & Medicaid Services, which warned in July that more than 600,000 Medicare beneficiaries may have had their Social Security numbers, birth dates, addresses, medical histories and other personal information stolen.
Health care software giant Welltok in October said its MOVEit server had been breached, with victims that included Sutter Health and group health plans for Stanford Health Care.
San Jose-based Medi-Cal provider Santa Clara Family Health Plan said information of 276,993 members, including names, contact information, birth dates, member-identity numbers and Medi-Cal credentials may have been compromised.
In July, Tennessee-based HCA Healthcare, which owns Good Samaritan Hospital and Regional Medical Center in San Jose, said its computer system had been hacked, exposing patient names, phone numbers, birth dates and other data.
This Cyber News was published on www.siliconvalley.com. Publication date: Sun, 03 Dec 2023 23:59:06 +0000