Independence Blue Cross in Philadelphia is sending notifications to thousands of its plan members because of the potential exposure of their protected health information (PHI) online and unauthorized individuals may have accessed the data.
The Independence Blue Cross privacy office got information about the exposed PHI on July 19. Immediately, a prominent forensics investigation company was retained to look into the incident and determine if there was indeed exposure of any plan members’ information.
According to investigations, an employee of Independence Blue Cross uploaded a file that contain plan members’ PHI to a website open to the public on April 23, 2018. The file stayed accessible to anyone until it was taken out of the website on July 20.
The file contained limited information and it did not have any financial data or Social Security numbers. The plan members’ information that were exposed include their names, diagnosis codes, healthcare provider data, dates of birth, and data used for processing payments.
Even with a comprehensive investigation, there was no way to know for sure if any unauthorized persons accessed the file while it was open to the public. To date, nobody has submitted any report that suggest any PHI was misused.
The health insurer made a statement that the breach affected some members of Independence Blue Cross and its subsidiaries — AmeriHealth HMO and AmeriHealth Insurance Co. of New Jersey. Approximately 17,000 people or less than 1% of plan members were affected.
Affected plan members have received notification about the breach. Independence Blue Cross is offering all individuals affected by the breach a two-year complimentary triple-bureau credit monitoring and identity theft protection services. The health insurer also took action to protect against further breaches like this. The employee responsible for uploading the file to the public website has been dealt with appropriately.