Independence Blue Cross, a Philadelphia-based health insurer notified thousands of its members this week that a data breach had exposed some of their protected health information (PHI), according to Healthcare Informatics.
On July 19, 2018, Independence Blue Cross’s privacy office announced a breach in which the personal information of approximately 17,000 members – fewer than 1% of the total membership – was potentially accessed by unauthorized individuals after an employee uploaded a file to a public-facing website on April 23, 2018. Unfortunately, the file, which contained the PHI of members remained accessible until it was removed on July 20.
“Information privacy and security are among our highest priorities. Independence has strict security measures in place to protect information in its care. Upon learning of this incident, Independence quickly took steps to ensure the file was permanently removed from the website. We reviewed company policies and procedures and implemented additional technical controls to help prevent future incidents of this kind. We also ensured that the appropriate action was taken with the employee responsible for uploading the subject file,” the company wrote.
In addition, the breach notification emphasized that no social security numbers, financial information, or credit card information was included in the exposed data.
“Criminals stealing your medical information or diagnosis codes is no longer a plot twist reserved for TV dramas with the latest records breach,” said Aaron Zander, senior IT engineer at HackerOne.
“Cybercrime damage is expected to hit $6 trillion annually by 2021, and this is just the beginning of medical record breaches, as these records are worth far more than your easily replaceable credit card. Like in the 2016 election with the release of fake medical records for presidential candidate Hillary Clinton, public announcement of a private condition can cause real damage.”
Though the company did conduct a thorough investigation, it was not able to determine whether malicious actors had accessed any of the exposed data. Still, “the Independence Blue Cross data breach represents yet another example of an exposure of sensitive information at the hands of an employee,” said Zohar Alon, co-founder and CEO, Dome9 Security.
“This underscores the critical importance of properly training all employees in an organization on cybersecurity best practices and providing continuous educational opportunities as threats evolve. Additionally, because humans are prone to error, companies need to be looking to automate processes as much as possible, minimizing the need for human handling of data and reducing the risk of errors that can lead to data exposure.”