Blue Cross of Idaho Website Hacked and Attempts Made to Reroute Payments

Blue Cross of Idaho has discovered its website has been hacked and an unauthorized individual gained access to its member portal and viewed the protected health information of some of its members.

Blue Cross of Idaho is one of the largest health insurers in the state and serves approximately 560,000 Idahoans. Blue Cross of Idaho’s executive vice president Paul Zurlo said the breach affected around 1% of its members – around 5,600 individuals. (Update 05/03/2019: The HHS breach portal indicates 6,045 individuals have been affected)

The website security breach occurred on March 21, 2019 and was discovered the following day. During the time that portal access was possible, the hacker accessed provider remittance documents and attempted to reroute provider financial transactions.

Upon discovery of the breach, Blue Cross of Idaho terminated the unauthorized access and secured its portal to prevent financial fraud and further accessing of documents. The incident was reported to the FBI and the investigation remains open. The health insurer is working with internal and external cybersecurity consultants and financial experts to assess the security of the patient portal and financial transactions that have taken place. All transactions going through the system are being monitored to ensure they are legitimate.

The remittance documents that were accessed did not contain Social Security numbers, driver’s license numbers, bank account information or debit/credit card numbers. The compromised information was limited to names, enrollee numbers, patient account numbers, claims numbers, payment data, procedure codes, provider names, and dates of service.

Members impacted by the breach have been advised to carefully monitor their bank account, credit card, and other financial statements for any sign of fraudulent activity as a precaution, even though financial information was not exposed. Explanation of benefits statements should also be checked for any services listed that have not been provided.

Following the exposure of sensitive information, it is customary to offer free access to credit monitoring and identity theft protection services. If Social Security numbers, financial information, or driver’s license numbers are exposed in a data breach, those services are usually provided for 12 months at no cost.

Even though highly sensitive information was not exposed and there does not appear to have been any attempts to misuse PHI, Blue Cross of Idaho is offering credit monitoring and identity theft protection services to affected members for three years.

Blue Cross of Idaho will also be sending new ID cards with different membership ID numbers to all affected individuals in the next few weeks and will continue to monitor the security of its system to ensure that members’ personal information is safe and secure.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.