HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Blue Cross Blue Shield of Minnesota Starts Correcting 200,000 Critical and Severe Vulnerabilities

Blue Cross Blue Shield of Minnesota, the largest health insurer in the state, is now taking steps to fix around 200,000 unaddressed vulnerabilities on its servers that, in some cases, are more than a decade old.

In August 2018, Tom Yardic, a cybersecurity engineer at BCBS Minnesota discovered patches were not being applied on its servers, even though the vulnerabilities were rated critical or severe. The engineer met with executives at BCBS Minnesota to raise the alarm, yet no action appeared to be taken.

Around a month later, Yardic alerted the BCBS Minnesota board of trustees as a last resort to get action taken to address the flaws, according to a recent report in the Star Tribune.

According to the newspaper report, evidence was obtained that revealed vulnerabilities had not been addressed for many years. There were around 200,000 critical or severe vulnerabilities that had not been addressed on approximately 2,000 servers. Around 44% of the vulnerabilities were more than 3 years old and approximately 12% of the flaws dated back 10 or more years.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Approximately 3.9 million individuals are insured by BCBS Minnesota. The failure to correct the vulnerabilities in a reasonable time frame has placed their sensitive information at risk.

The Star Tribune spoke with officials at BCBS Minnesota who confirmed that work is now underway to correct the flaws and said it is trying to correct as many of the flaws as possible before the end of the year. According to the Star Tribune, “Minnesota Blue Cross did not dispute the accuracy of the number of past vulnerabilities” and said that the number of unaddressed vulnerabilities is now far lower and is much lower on workstations.

It is not surprising that a cybersecurity engineer has taken steps to get the flaws corrected. It is surprising that it took so long, especially following the cyberattacks on Anthem Inc., Premera Blue Cross, and Excellus BCBS in 2015 that resulted in the theft of the protected health information of more than 99.8 million Americans.

Surprisingly, given the sheer number of unaddressed vulnerabilities, BCBS Minnesota has never reported a data breach of its own systems since the HHS Office for Civil Rights started publishing summaries of data breaches on its breach portal in 2009.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.