Florida Blue, the business name of Blue Cross and Blue Shield of Florida, has recently announced that the personally identifiable information of a nearly one thousand insurance applicants has been exposed online following a data breach of their network.
The organisation was alerted to the exposure of patient data in late August. They immediately launched an internal investigation into the source of the breach. Following the investigation, Florida Blue released a report which revealed that the data of 475 insurance applications had been backed up to the cloud by an unaffiliated insurance agent, Real Time Health Quotes (RTHQ). A breach report submitted to the Department of Health and Human Services’ Office for Civil Rights-as required by HIPAA-indicates 939 individuals have been impacted by the incident.
The data backup included agency files and copies of health, dental, and life insurance applications from 2009 to 2014. As the cloud server used to back up data was unsecure, the integrity of this patient information was compromised and the server was vulnerable to a breach. Anybody with an internet connection and sufficient skills had the capability to access the private healthcare information of hundreds of people.
While data access and theft of personally identifiable information remains a possibility, Florida Blue has received no reports that any of the exposed information has been used for malicious purposes.
The files contained information such as the names of applicants, dates of birth, demographic information, medical histories, Social Security numbers, and limited banking and payment information. Following the discovery that information had been left unsecured, RTHQ took steps to address the vulnerability. Precautions have been taken to ensure that the information is no longer accessible by unauthorized individuals.
The incident was discovered by Florida Blue on August 30, 2017. As required by HIPAA’s Breach Notification Rule, patients were notified of the breach by mail in late October. Even though Florida Blue was not responsible for the breach, and has no affiliation with RTHQ, affected applicants have been contacted and offered two years of identity theft protection services without charge. Florida Blue said it is still investigating the incident, and is trying to find out how RTHQ acquired the application information and why the information was stored on an unsecured cloud server. More information is to follow.