Blue Shield of California, a leading health insurance provider, recently experienced a cybersecurity breach that potentially compromised the personal data of its members.
The attack targeted the files of a contracted vendor responsible for managing vision benefits for a significant portion of Blue Shield’s clientele.
The data may have included names of members, their dates of birth, social security numbers and information related to vision health care.
The breach, which may also have included diagnosis and treatment information, has left thousands of individuals at risk of identity theft and other financial crimes. According to a Nov. 17 press release from Blue Shield.
Table of Contents
Details of the Breach
The breach occurred during the spring of 2023, but Blue Shield remained unaware. The Oakland based company has about 4.8 million members, mostly in California.
Hackers stole the data from a Blue Shield server managing vision care data on May 28 and May 31, according to the release. A vendor for Blue Shield, which the release did not identify, discovered the breach on Aug. 23 and reported it to Blue Shield on Sept. 1.
What Caused the Breach?
The Blue California vendor data breach was caused by a vulnerability in MESVision’s MOVEit server. This vulnerability allowed an unauthorized third party to access and remove information from the server.
Impact of the Breach
The extent of the data breach remains unclear, but Blue Shield has proactively offered affected members complimentary credit monitoring and identity restoration services.
Additionally, the company has advised members to closely monitor their credit reports and account statements, promptly reporting any suspicious activity to law enforcement.
Blue Shield’s Response
Blue Shield’s handling of the breach has drawn criticism, with some experts questioning the company’s delayed notification of affected members.
On November 17, 2023, Blue Shield of California (“Blue California”) filed a notice of data breach with the Attorney General of Montana.
In the notice, Blue California explained that one of its vendors, Medical Eye Services, Inc. (“MESVision”), experienced the data breach.
In response to the breach, Blue Shield says it has opened a dedicated call center to answer questions—it can be reached at 1-866-983-2632 Monday through Friday from 8 a.m. to 7 p.m. Central Time, excluding major U.S. holidays.
Blue Shield also offers free credit monitoring with identity restoration services for anyone impacted by the data breach.
Blue Shield has taken steps to notify affected individuals and provide them with resources to protect their identities. The company has also implemented additional security measures to prevent future breaches.
Signs of Identity Theft
The following can indicate if you are a victim of identity theft:
- You see withdrawals from your bank account that you can’t explain.
- You don’t get your bills or other mail.
- Merchants refuse your checks.
- Debt collectors call you about debts that aren’t yours.
- You find unfamiliar accounts or charges on your credit report.
- Medical providers bill you for services you didn’t use.
- Your health plan rejects your legitimate medical claim because the records show you’ve reached your benefits limit.
What You Can Do
If you are a Blue Shield member affected by the breach, the health care provider recommends you do the following:
- Closely review credit reports and account statements, and notify the bank or other institution maintaining your account.
- Report any fraudulent activity or suspected identity theft to law enforcement, the Federal Trade Commission or the Attorney’s general Office in your home state.
- Blue Shield recommends placing a fraud alert on your credit file. An initial fraud alert is free and will stay on your credit file for at least 90 days.
- The alert informs creditors of possible fraudulent activity within your report and requests that the creditor contact you prior to establishing any accounts in your name.
- You may also want to consider placing a security freeze on your credit file, which will prevent new credit from being opened in your name without the use of a PIN.
- A security freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. Security freezes also require you to contact one of the three credit reporting agencies above.
Blue Shield is encouraging members to visit its website for the latest information about the data breach. The company is also providing regular updates on its social media channels.