Telephone Phishing Scam Impacts 21K Blue Shield of California Subscribers
Blue Shield of California has reported a breach of PHI caused by an employee of a business associate who fell for a telephone phishing scam. Almost 21,000 individuals have been affected by the security breach.
Healthcare providers and insurers should conduct staff training to ensure employees are aware of the risk of phishing campaigns delivered by email, but the latest Californian healthcare data breach shows that email is not the only medium phishers are using to obtain the login credentials of healthcare workers. Telephone phishing scams can be just as effective as email phishing campaigns.
The latest healthcare security breach occurred at the call center of a business associate of the Blue Shield of California. A member of staff was asked for login details and provided these over the telephone. It is unclear how the caller convinced the individual to disclose this information.
The incident affected individuals and Blue Shield Family Plan (IFP) members who took out health insurance coverage between October 2013 and December 2015. After login details were obtained, those credentials were used to access the data system of Blue Shield of California’s business associate only. Blue Shield of California’s database and systems were not inappropriately accessed.
The data potentially obtained by the scammer(s) include member names, addresses, Social Security numbers, and dates of birth, with those data understood to have been accessed between October 2015 and December 2015.
The information obtained by the scammers could potentially be used to commit identify theft and fraud. In an effort to mitigate the risk of members suffering financial losses as a result of the data theft, Blue Shield of California has offered all affected plan members a year of credit monitoring and identity theft protection services without charge. The victims will also be covered by a $1 million identity theft insurance policy.
Blue Shield of California has announced that it is “working internally and with our vendor to improve our overall security procedures in order to provide additional protections for your personal information.”