HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Florida Blue Data Breach Impacts 939 Individuals

Blue Cross and Blue Shield of Florida, dba Florida Blue, has announced that the personally identifiable information of a limited number of insurance applicants has been exposed online.

Florida Blue was alerted to the exposure of patient data in late August and immediately launched an investigation. Florida Blue reports that the investigation revealed 475 insurance applications had been backed up to the cloud by an unaffiliated insurance agent, Real Time Health Quotes (RTHQ).

The data backup included agency files and copies of health, dental, and life insurance applications from 2009 to 2014. Those files were left vulnerable as an unsecured cloud server was used to store the backup files. Consequently, those files could have been accessed by the public via the Internet.

While data access and theft of personally identifiable information remains a possibility, Florida Blue has received no reports that any of the exposed information has been used for malicious purposes.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The files contained information such as the names of applicants, dates of birth, demographic information, medical histories, Social Security numbers, and limited banking and payment information. Following the discovery that information had been left unsecured, RTHQ took steps to address the vulnerability and the information is no longer accessible by unauthorized individuals.

The incident was discovered by Florida Blue on August 30, 2017, and patients were notified of the breach by mail in late October. Even though Florida Blue was not responsible for the breach, and has no affiliation with RTHQ, affected applicants have been contacted and offered two years of identity theft protection services without charge. Florida Blue said it is still investigating the incident, and is trying to find out how RTHQ acquired the application information and why the information was stored on an unsecured cloud server.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 939 individuals have been impacted by the incident.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.