In a notification letter being mailed by Blue Shield of California to affected members, the insurer says the breach involved a secure website that group health benefit plan adminstrators and brokers use to manage information about their own plans` members. `As the unintended result of a computer code update Blue Shield made to the website on May 9,` the letter states, three users who logged into their own website accounts simultaneously were able to view member information associated with the other users` accounts. The problem was reported to Blue Shield`s privacy office on May 18.
Blue Shield of California tells Information Security Media Group that the site affected was the company`s Blue Shield Employer Portal. `This issue did not impact Blue Shield`s public/member website,` the company says. When the issue was discovered, the website was promptly taken offline to identify and fix the problem, according to the insurer.
`The website was returned to service on May 19, 2015,` according to the notification letter. The insurer is offering all impacted individuals free credit monitoring and identity theft resolution services for one year.
Exposed information included names, Social Security numbers, Blue Shield identification numbers, dates of birth and home addresses. `None of your financial information was made available as a result of this incident,` the notification letter says. `The users who had unauthorized access to PHI as a result of this incident have confirmed that they did not retain copies, they did not use or further disclose your PHI, and that they have deleted, returned to Blue Shield, and/or securely destroyed all records of the PHI they accessed without authorization.`
The Blue Shield of California notification letter also notes that the company`s investigation revealed that the breach `was the result of human error on the part of Blue Shield staff members, and the matter was not reported to law enforcement authorities for further investigation.`
Similar Incidents
The coding error at Blue Shield of California that led to the users being able to view other individuals` information isn`t a first in terms of programming mistakes on a healthcare-sector website leading to privacy concerns.
For example, in the early weeks of the launch of HealthCare.gov in the fall of 2013, a software glitch allowed a North Carolina consumer to access personal information of a South Carolina man. The Department of Health and Human Services` Centers for Medicare and Medicaid Services said at the time that the mistake was `immediately` fixed once the problem was reported. Still, the incident raised more concerns about the overall security of the Affordable Care Act health information exchange site (see HealthCare.gov: Rebuilding Trust).
Software design and coding mistakes that leave PHI viewable on websites led to at least one healthcare entity paying a financial penalty to HHS` Office for Civil Rights.
An OCR investigation of Phoenix Cardiac Surgery P.C., with offices in Phoenix and Prescott, began in February 2009, following a report that the practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. The investigation determined the practice had implemented few policies and procedures to comply with the HIPAA privacy and security rules and had limited safeguards in place to protect patients` information, according to an HHS statement. The investigation led to the healthcare practice signing an OCR resolution agreement, which included a corrective action plan and a $100,000 financial penalty.
Read original article
No comments:
Post a Comment