Share this article on:
Blue Cross Blue Shield of Minnesota, the largest health insurer in the state, is now taking steps to fix around 200,000 unaddressed vulnerabilities on its servers that, in some cases, are more than a decade old.
In August 2018, Tom Yardic, a cybersecurity engineer at BCBS Minnesota discovered patches were not being applied on its servers, even though the vulnerabilities were rated critical or severe. The engineer met with executives at BCBS Minnesota to raise the alarm, yet no action appeared to be taken.
Around a month later, Yardic alerted the BCBS Minnesota board of trustees as a last resort to get action taken to address the flaws, according to a recent report in the Star Tribune.
According to the newspaper report, evidence was obtained that revealed vulnerabilities had not been addressed for many years. There were around 200,000 critical or severe vulnerabilities that had not been addressed on approximately 2,000 servers. Around 44% of the vulnerabilities were more than 3 years old and approximately 12% of the flaws dated back 10 or more years.
Approximately 3.9 million individuals are insured by BCBS Minnesota. The failure to correct the vulnerabilities in a reasonable time frame has placed their sensitive information at risk.
The Star Tribune spoke with officials at BCBS Minnesota who confirmed that work is now underway to correct the flaws and said it is trying to correct as many of the flaws as possible before the end of the year. According to the Star Tribune, “Minnesota Blue Cross did not dispute the accuracy of the number of past vulnerabilities” and said that the number of unaddressed vulnerabilities is now far lower and is much lower on workstations.
It is not surprising that a cybersecurity engineer has taken steps to get the flaws corrected. It is surprising that it took so long, especially following the cyberattacks on Anthem Inc., Premera Blue Cross, and Excellus BCBS in 2015 that resulted in the theft of the protected health information of more than 99.8 million Americans.
Surprisingly, given the sheer number of unaddressed vulnerabilities, BCBS Minnesota has never reported a data breach of its own systems since the HHS Office for Civil Rights started publishing summaries of data breaches on its breach portal in 2009.