Blue Shield of California members’ data stolen — ‘a gold mine for thieves’

Insurer blames third-party software for loss of Social Security numbers, other information

Blue Shield of California vision policyholders’ sensitive data, including Social Security numbers, birth dates, and addresses, may have been accessed by criminal hackers, the Oakland-based health insurance giant announced this week.

According to Blue Shield, the breach, which may have included diagnosis and treatment information, was caused by a cyberattack on a widely used software tool for sending and receiving data. The insurer is one of thousands of businesses affected by the hack.

Despite multiple requests, Blue Shield of California has refused to reveal how many of its 4.5 million customers have vision plans and may have had their data stolen.

RELATED: Were you a victim of the Blue Shield hack? Here’s what the company and the feds advise you to do.

“Blue Shield of California has followed all applicable State and Federal requirements in notifying members and regulatory agencies about data we believe to have been exposed,” the organization said in a statement. Blue Shield said it had taken “immediate steps” to secure its network and that there was no evidence that its own systems had been compromised.

For more information, the non-profit cited an online news release dated Nov. 17, but it did not appear among the news releases on the Blue Shield news web page on Thursday.

According to the release, a vendor that “manages vision benefits for many of our Blue Shield members” notified Blue Shield on Sept. 1 that hackers “exfiltrated information” in May on Aug. 23.

While the news release lists numerous categories of exposed information, Blue Shield stated in an email that the “data impacted in the cybersecurity incident varied for individual members,” so notification letters to members were tailored accordingly.

A letter from Blue Shield about the breach reviewed by this news organization, dated Nov. 10 but not received until this week by a California customer, stated that information including their name, address, birth date, Social Security number, and member-identity number may have been stolen.

According to Bill Budington, senior staff technologist at the San Francisco-based digital-privacy organization Electronic Frontier Foundation, “highly sensitive information” like the Blue Shield data is typically sold on the illicit online marketplace known as the dark web.

The Federal Trade Commission of the United States warns that criminals can use stolen names and Social Security numbers to steal victims’ tax refunds. With a health insurance identification number, a criminal can visit a doctor, obtain prescription drugs, purchase medical devices, and file insurance claims in the victim’s name, according to the agency. The United States Department of Justice warns that with enough stolen personal data, bad actors can apply for loans and credit cards in a victim’s name, as well as withdraw money from their bank accounts.

Budington stated that Blue Shield waited weeks before notifying affected members of the breach, denying them the ability to take timely action to protect themselves from identity theft or other crimes. “Companies need to do better,” he stated.

According to Blue Shield, hackers stole Blue Shield members’ information from the vision-benefits manager’s computer server, which was running the MOVEit file-transfer tool. MOVEit is used by governments, financial institutions, and businesses all over the world to send and receive information ostensibly securely.

Clop, a cybercriminal group believed to be Russian-linked by the US government, announced in June that it had broken into MOVEit in May. According to Emsisoft, a New Zealand cybersecurity firm, more than 2,600 organizations around the world had data stolen in the attack, including government-services giant Maximus and the state governments of Colorado and Maine. Budington said it’s unclear whether the hackers’ stolen information was sold on the dark web.

According to Emsisoft, nearly 80% of known victims are from organizations based in the United States. According to Emsisoft, the most affected sectors globally are education (40%) and health care (20%), with finance and professional services (13%).

In a June lawsuit filed in federal court in Massachusetts against MOVEit maker Progress Software, the information stolen was described as “a gold mine for data thieves.”

This is Blue Shield’s second data breach to be made public this year. The insurer reported in March that a subcontractor to one of its providers had “suffered a security incident” in late January, during which an attacker downloaded files. Blue Shield members’ information that could have been stolen included birth dates, addresses, genders, phone numbers, and email addresses, but no Social Security numbers, financial information, or health information, according to Blue Shield.

The MOVEit hack affected many other health insurers and providers, including the Centers for Medicare & Medicaid Services, which warned in July that more than 600,000 Medicare beneficiaries’ Social Security numbers, birth dates, addresses, medical histories, and other personal information may have been stolen. Welltok, a health care software company, announced in October that its MOVEit server had been hacked, with victims including Sutter Health and Stanford Health Care group health plans.

According to the US government, the Clop hackers are suspected of breaking into another file-transfer software tool called GoAnywhere earlier this year. Santa Clara Family Health Plan, based in San Jose, said information on 276,993 members, including names, contact information, birth dates, member-identity numbers, and Medi-Cal credentials, may have been compromised.

HCA Healthcare, which owns Good Samaritan Hospital and Regional Medical Center in San Jose, announced in July that its computer system had been hacked, exposing patient names, phone numbers, birth dates, and other information.