Blue Cross and Blue Shield of Massachusetts (BCBSofMA) has lately affirmed that a data breach at a business associate led to the compromise of the protected health information (PHI) of several of its health plan members. The breach took place at LifeWorks US Inc, which offers services connected to the management of the Retirement Income Trust, which entails paying pension beneficiaries.
Around June 20, 2022, a previous worker of LifeWorks sent spreadsheets to a personal email account and replicated the email to the private email account of yet another previous LifeWorks staff. The spreadsheets held the protected health information of people who were entitled to get or were receiving benefits from BCBSofMA.
The former workers stated that the spreadsheets were mailed to conserve the formula employed and that efforts were made to remove all PHI in the spreadsheets; nonetheless, certain PHI was left. The ex-staff stated they didn’t further make known the details in the spreadsheets and have currently erased the spreadsheets from their own email accounts. The spreadsheets only included the following data: names, addresses, Social Security numbers, and a number of pension benefit data.
BCBSofMA has announced that the breach impacted 4,855 people and has provided complimentary identity theft and credit monitoring services for two years to affected persons. LifeWorks stated it is taking steps to avoid any repeat of incidents like this.
Business Associate Cyber Attack Impacts Health Plan Members of Blue Shield of California
A Blue Shield of California (BSofC) vendor subcontractor has encountered a ransomware attack whereby the protected health information of BSofC and the BSofC Promise Health Plan members were accessed or obtained. OneTouchPoint (OTP) identified the ransomware attack on April 28, 2022. OTP was a subcontractor employed by business associate Matrix Medical Network.
OTP mentioned it instantly ended the unauthorized access to the system and started an investigation into the security breach. Though it cannot be established if files that contain health plan members’ PHI were accessed or acquired, the likelihood cannot be eliminated. The files likely viewed contained names, diagnoses, medicines, subscriber ID numbers, patient addresses, dates of birth, gender, doctor demographics details, advance directives, family backgrounds, social backgrounds, allergies, vitals, vaccinations, encounter records, and assessment ID numbers, and dates.
The data breach report sent to the HHS’ Office for Civil Rights showed that 1,506 health plan members were impacted. Impacted people were given a free membership to a credit checking and identity theft protection service for one year.