On March 21, Blue Cross of Idaho officials discovered its provider portal was breached in an attempt to fraudulently reroute financial transactions. Access was disabled and the portal was secured within the day. Officials determined the hacker was able to access provider remittance data, which contained protected health information, as reported by HealthITSecurity.
Compromised data included patient names, subscriber or enrollee numbers, dates of service, provider names, patient account numbers, claims number and payment data, and procedure codes. Social Security numbers, driver’s licenses, banking details, and diagnoses were not breached during the incident.
The hack was reported to the FBI, which launched an investigation. Further, officials said their internal cybersecurity and financial leaders are working with outside experts to review the impacted portal and the associated financial transactions.
The investigation determined the hackers were able to access the patient data for about 1 percent of Blue Cross of Idaho’s membership, officials said. The insurer is still working with the FBI on its investigation, in addition to reviewing its online and portal security to ensure data is protected.
Members will receive new ID cards with new membership numbers within the next few weeks. Further, official said they’re offering patients three years of free credit monitoring and identity theft restoration services. Typically, breached organizations offer just one year of credit monitoring services for impacted patients. The extended time period provided by Blue Cross likely reflects the nature of the hack: attempted fraud.
Officials are continuing to review financial accounts and the provider portal to ensure only legitimate transactions are going through the system. The insurer will also make “continuous improvements to its provider portal and online security based on the results of this investigation and best practices used across the industry.”
For a complete Security Risk Analysis (SRA) of your practice or company, contact the HIPAA compliance experts at HIPAAcraticRx.