Triple-S Management, an insurer whose business includes acting as the Blue Cross and Blue Shield licensee of Puerto Rico serving 1 million members, has reported a data breach affecting more than 400,000 members.
The breach resulted from unauthorized access to a database by employees of a competitor of Triple-S, which reported the intrusions to Triple-S.
The intrusions occurred multiple times between Sept. 9-15 as the competitors' employees downloaded protected health information of about 398,000 Blues members into the competitor's information systems. During the investigation, Triple-S also learned smaller breaches affecting about 8,000 individuals covered under the state government's health plan and Medicare occurred between October 2008 and August 2010.
The competitor's employees used one or more active user IDs and passwords specific to Triple-S' database to access the information. Triple-S believes the likely target was financial information related to the government insurance plan rather than individuals' information.
As first reported on the PHIprivacy.net Web site, Triple-S explained the breach in its third quarter financial report to the Securities and Exchange Commission:
"On September 21, 2010, we learned from a competitor that a specific internet database managed by our subsidiary TCI, containing information pertaining to individuals previously insured by TSS under the Government of Puerto Rico's Health Insurance Plan ("HIP") and to independent practice associations ("IPAs") that provided services to those individuals, had been accessed without authorization by certain of our competitor's employees from September 9 to September 15, 2010.
"We immediately began an investigation and engaged external resources to assist in this matter. TCI served as a third-party administrator for TSS in the administration of its HIP contracts until September 30, 2010. We have identified the information that was accessed and downloaded into the competitor's system. The September 2010 intrusions may have potentially compromised protected health information of approximately 398,000 beneficiaries in the North and Metro-North regions of the HIP.
"We have also learned as a result of our ongoing investigation that protected health information of approximately 5,500 HIP beneficiaries, 2,500 Medicare beneficiaries and IPA data from all three HIP regions previously serviced by TSS was accessed through multiple, separate intrusions into the TCI IPA database from October 2008 to August 2010. The stolen information did not include Social Security numbers.
"Our investigation has revealed that the security breaches were the result of unauthorized use of one or more active user IDs and passwords specific to the TCI IPA database, and not the result of breaches of TSS's or the Corporation's system security features.
"We cannot at this time determine the purpose of these breaches and do not know the extent of any fraudulent use of the information or its impact on the potentially affected individuals and IPAs. We believe, however, that the most likely target was financial information related to IPAs rather than the individuals' information. During the course of our investigation we learned that there may have been improper uses of the IPA passwords by one or more consultants working for the IPAs.
"We have taken measures to strengthen the TCI server security and credentials management procedures, and are conducting an assessment of our system-wide data and facility security to prevent the occurrence of a similar incident in the future. We continue to investigate these events and to analyze the data as it becomes known to us to identify all individuals and entities whose information may have been impacted, and to take any additional corresponding remedial actions in accordance with applicable laws and regulations.
"We have notified the appropriate Puerto Rico and federal government agencies of these events, and have issued public notice of the breaches as required under Puerto Rico law. We have received a number of inquiries and requests for information related to these events from these government agencies and are cooperating with them. As a result of our ongoing investigation, we have determined that additional filings and public notices will be required.
"In addition, the Puerto Rico government agency that oversees the HIP has levied a fine of $100,000 on TSS in connection with these incidents, which we are appealing. Other government agencies may seek to impose fines or other obligations on us. We do not have sufficient information at this time to predict whether any future action by government entities or others as a result of the data breaches would adversely affect our business, financial condition and results of operations."
Register or login for access to this item and much more
All Health Data Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access