Medical Data Breaches at Blue Shield, New West Expose 46,000 Customers’ Info

Two health service providers recently acknowledged data breaches affecting thousands of clients.

Blue Shield of California says the personal information of almost 21,000 people who enrolled in coverage between October 2013 and December 2015 may have been exposed as a result of a data breach at a third-party vendor, the Orange County Register reports.

That breach, according to Blue Shield’s notification letter [PDF], “happened between September and December of 2015 and was the result of log-in credentials for certain Blue Shield customer service representatives being misused.”

A recent Ping Identity survey of more than 1,000 U.S. enterprise employees found that almost half admitted reusing passwords for work-related accounts, and almost two third admitted doing so for personal accounts.

According to Blue Shield, the information potentially exposed includes names, addresses, birthdates and Social Security numbers. All those affected are being offered a free one-year membership in Experian’s ProtectMyID Alert service.

And Montana’s New West Health Services, a health plan offering Medicare Advantage and Medicare Supplement Plans, recently announced that an unencrypted laptop containing past and current New West customer information was stolen from an off-site location.

New West worked with Navigant to determine what data may have been on the laptop, and determined that it held customer names, addresses, and in some cases, driver’s license numbers, Social Security numbers or Medicare claim numbers.

It may also have held payment information, including bank account or credit card information, as well as some health information, including birthdates, medical history and condition, diagnosis and/or prescription information.

According to Montana Public Radio, 25,000 customers are affected.

All those whose Social Security numbers may have been exposed are being offered one free year of credit monitoring and identity protection services. “Moving forward, we are committed to taking steps to prevent this type of incident from occurring in the future,” New West said in a statement. “These steps include installing additional security on all company laptops, enhancing education for our employees, and strengthening our data security policies and practices.”

In similar breaches disclosed last week, a USB drive stolen from New York’s St. Luke’s Cornwall Hospital exposed 29,156 patients’ personal health information (PHI), a missing storage device at Indiana University Health Arnett Hospital may have exposed 29,324 patients’ data, and a laptop stolen from Texas’ HealthSouth Rehabilitation Hospital exposed 1,359 patients’ information, including Social Security numbers.

According to Verizon Enterprise Solutions’ inaugural Protected Health Information Data Breach Report, 90 percent of industries have experienced a data breach that exposed PHI — and according to the 2015 KPMG Healthcare Cybersecurity Survey, 81 percent of healthcare organizations have been breached in the past two years.

“The vulnerability of patient data at the nation’s health plans and approximately 5,000 hospitals is on the rise and health care executives are struggling to safeguard patient records,” Michael Ebert, leader in KPMG’s Healthcare & Life Sciences Cyber Practice, said in a statement. “Patient records are far more valuable than credit card information for people who plan to commit fraud, since the personal information cannot be easily changed.”

Recent eSecurity Planet have looked at ways of improving security when working with third-party vendors and offered six tips for stronger encryption.

Jeff Goldman
Jeff Goldman
Jeff Goldman has been a technology journalist for more than 20 years and an eSecurity Planet contributor since 2009.

Top Products

Related articles