Independence Blue Cross Notifies 17,000 Members of Online Exposure of Their PHI

Share this article on:

Independence Blue Cross is notifying thousands of plan members that some of their protected health information has been exposed online and has potentially been accessed by unauthorized individuals.

The Independence Blue Cross privacy office was informed about the exposed information on July 19 and immediately launched an investigation. A leading forensics investigation firm was hired to investigate the incident and establish whether any plan members’ information was accessed during the time it was exposed.

Independence Blue Cross said an employee had uploaded a file containing plan members’ protected health information to a public facing website on April 23, 2018. The file remained accessible until July 20 when it was removed from the website.

The information contained in the file was limited. No financial information or Social Security numbers were exposed. Affected plan members only had their name, diagnosis codes, provider information, date of birth, and information used for processing claims exposed.

Despite a thorough investigation, it was not possible to determine whether any unauthorized individuals accessed the file during the time it was on the website. No reports have been received to date to suggest any protected health information has been misused.

According to a statement from the health insurer, the breach affects certain Independence Blue Cross members and members of its subsidiaries AmeriHealth HMO and AmeriHealth Insurance Co. of New Jersey. Fewer than 1% of plan members – approximately 17,000 individuals – were affected by the breach.

Affected individuals have now been notified of the breach and, out of an abundance of caution, Independence Blue Cross is offering all affected individuals 24 months of free triple-bureau credit monitoring and identity theft protection services.

The Philadelphia-based health insurer has taken steps to prevent further breaches of this nature and ‘appropriate action’ has been taken with the employee who uploaded the file to the website.

Author: HIPAA Journal

Share This Post On