Highmark BCBS of Delaware Investigates Data Breach Affecting 19,000 Individuals

Highmark BlueCross BlueShield of Delaware is investigating a data breach that has impacted 19,000 beneficiaries of employer-paid health plans. The data breach involves two subcontractors of Highmark BCBS – Summit Reinsurance Services and BCS Financial Corporation.

Karen Kane, Highmark BSBC director of privacy and information management, issued a statement saying 16 current and former Highmark self-insured customers have been impacted.

Affected individuals have now been notified of the breach by mail. The breach notification letters were sent by Summit Reinsurance Services (SummitRe). In the letters, consumers were informed that some of their highly sensitive protected health information had potentially been accessed by unauthorized individuals.

A ransomware infection was discovered by SummitRe on August 5, 2016, although a forensic analysis of the cyberattack revealed that access to Summit’s systems was first gained on March 12, 2016. SummitRe stated in the letters that the forensic investigation into the breach is ongoing, although no direct evidence has been uncovered to suggest that any ePHI stored on the affected server has been used inappropriately.

The types of data that could potentially have been accessed include names, Social Security numbers, details of health insurance, providers’ names, medical records relating to insurance claims – including medical diagnoses, and some clinical information.

Patients affected by the breach have been offered a year of credit monitoring and identity restoration services to protect them against identity theft and fraud.

Details of the nature of the cyberattack are being kept under wraps for the time being while the investigation continues. One of the questions that is likely to be asked is what happened during the five months between the initial intrusion and the ransomware infection.

Hackers are known to install ransomware after they no longer require access to infiltrated systems. Often after all valuable information has been obtained. In this case, it is unclear whether any data were exfiltrated during those five months.

SummitRe has been criticized for the letter sent to affected individuals, as it was not abundantly clear who the company was. Affected individuals would have been unlikely to have any dealings with the company in the past as insurance plans were provided through their employers.

Trinidad Navarro, Insurance Commissioner for the State of Delaware, said the letter “appears as if it is A) and Ad, or B) a scam.” Navarro also said, “Unfortunately, we fear that many may have misinterpreted or inadvertently discarded the letter.”

One of the data breach notification letters was provided to NBC 10 reporters by an affected patient. The letter was dated January 4, 2016. It is unclear why it took five months for patients to be notified of the breach – almost 10 months after the server was inappropriately accessed.

HIPAA Breach Notification Rule Requirements for Notifying Individuals of Data Breaches

The HIPAA Breach Notification Rule requires covered entities to notify individuals of a suspected ePHI breach within 60 days of discovery of the breach. Last week, the Department of Health and Human Services’ Office for Civil Rights sent a strong message to covered entities about the importance of issuing timely breach notifications. Presence Health of Illinois agreed to settle potential violations of the HIPAA Breach Notification Rule after OCR investigators became aware that it had delayed breach notifications for 3 months following a 2013 security incident affecting 836 individuals. Presense Health will pay OCR $475,000 as part of the settlement deal.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.