HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Website Error Exposes PHI of Blue Shield of California Members

A website programing glitch has caused a data breach which has exposed the confidential records of 843 members of Blue Shield of California (BSoC).

The unintentional coding error resulted in authorized users being displayed information of other individuals via the health plan’s secure administrator website. The data was displayed when two users logged into the system at the exact same time, with the other users records being displayed on screen. The glitch had a duration of 9 days, with data first compromised on May 9, 2015.

The data breach only affects the website used by administrators and brokers of BSoC’s group health benefit plan. The breach occurred after an update was made to the code on the site. That error was not replicated on the public Blue Cross website.

Blue Shield of California was informed of the data breach on May 18 following a call to its Privacy Office. The website was immediately taken offline to prevent any further exposure of confidential records and to give BSoC time to investigate the problem. The error was identified and the website was recoded within 24 hours. Additional code was put on the site to help the health plan identify this type of error rapidly, should a similar coding error be made in the future.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

In accordance with the HIPAA Breach Notification Rule, BSoC has now started informing all affected individuals by mail. A breach notice has also been issued to California’s Department Of Justice’s Office for the Attorney General.

The information exposed included first and last names, home addresses, dates of birth and Blue Shield ID numbers. Some individuals’ Social Security numbers were also compromised.

BSoC is offering all affected individuals a year of credit monitoring and identity theft protection services. Daily credit reports will be provided to rapidly identify any instances of credit or identity fraud to allow prompt action to be taken to prevent any financial loss.

The provision of identity theft and credit monitoring services is offered as a precaution. BSoC has no reason to believe that any of the information exposed in the incident has been used inappropriately.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.