Employee upload of data causes breach at Philly’s Blues plan

Independence Blue Cross is alerting nearly 17,000 members after an employee put protected health information on to a public-facing website.

The information was uploaded as a file accessible on the website for the Blues plan, which serves the greater Philadelphia region, from this past April 23 to July 20, the insurer reports.

“After a thorough investigation, we are unable to determine if protected health information was accessed and are unaware of any actual or attempted misuse of this information,” the Blues plan explained in a notice.

However, the most sensitive patient data—including Social Security numbers, financial information and credit card information—were not affected by the breach.

Potentially compromised data included member names, dates of birth, diagnosis codes, provider information and information used for claims processing, such as claim numbers, referral numbers and service dates.

Independence Blue Cross-CROP.jpg

Also See: Hacker accesses email accounts, PHI at retirement communities

Upon learning of the breach, the insurer permanently removed the file from the website, reviewed company policies and procedures, and added additional technical controls to prevent reoccurance of such an incident. “We also ensured that the appropriate action was taken with the employee responsible for uploading the subject file,” the insurer noted.

In addition to providing two years of identity protection services, Independence Blue Cross also provided affected individuals information on protecting themselves against identity theft or financial loss, and encouraged placing fraud alerts with the major credit bureaus.

For reprint and licensing requests for this article, click here.