Blue Cross Blue Shield Association data breach

Any information or research into this very serious criminal activity.

Blue Cross Blue Shield Association data breach

Postby AlphaCentauri » Sat Oct 10, 2009 3:29 pm

Sept. 29, 2009

Recently [local plan name] was made aware that the Blue Cross and Blue Shield Association (BCBSA) -- the licensor of the Blue Cross and Blue Shield brands to [local plan] and to Blue Plans across the United States -- experienced an unauthorized transfer of provider [i.e., hospital, doctor, dentist, nurse practitioner, chiropractor, pharmacist, etc.] network data. As background, you should know that each Blue Plan is required to send weekly updates of its provider network information to BCBSA for purposes of a national directory, including the national Doctor and Hospital Finder Web Site that contains the participating provider listings for all Blue Plans. A BCBSA employee transferred this Blue Plan provider data information onto a personal laptop, in violation of BCBSA's established data security policies. Subsequently, the employee's laptop containing the provider data was stolen. We have no evidence at this time that the information on the stolen laptop has been misused.

As the national association that represents all Blue Plans, BCBSA takes its responsibility to protect your information seriously, and sincerely regrets this loss of data. BCBSA employees receive annual and departmental training on privacy and security procedures, which includes use of encryption software when saving personally identifiable information to mobile devices, and only saving that information to BCBSA-issued devices. BCBSA is reviewing and strengthening its privacy/security controls, as well as its employee training regimen.

The data included the following elements:

Provider name
Provider tax ID/Social Security #

It goes on to offer a 12 month subscription to a credit monitoring service.

Several observations:
WTF is it with allowing people to use social security numbers as if they were signatures, anyway? Why should the fact that criminals have your social security number allow them to apply for credit in your name so easily?

My SSN isn't a secret. Every employer I've ever worked for had to ask me for it to pay me. The purpose of the SSN is to collect and credit social security insurance payments from payroll taxes. All these other uses by financial institutions, insurance companies, academic testing agencies, etc., are in violation of the original intent of the law, which was specifically NOT to create a government identification number for citizens.

While I usually left jobs under amicable circumstances, in one case I had reported a fast food manager for inappropriate sexual advances to underage coworkers and for taking money out of the cash register for personal use. Shortly after I went back to school the manager was fired, and not long after that the restaurant burned down. But that manager had my social security number at the time. And that same number is still valid years later.

So why is 12 months monitoring supposed to help? It's not like they stole credit card numbers that will be canceled. Those numbers are valid as long as the individuals affected are alive. I can't see criminals saying, "Oh, these social security numbers were stolen last year; there's no point to holding on to that data." I've gotten so many of these letters over the years myself that I can't imagine there are too many social security numbers they don't already have for sale on carder forums.

The same companies that are accepting credit applications without question as long as they include a social security number are discriminating against anyone who puts a fraud alert on their credit bureau accounts, too. Your credit score is automatically lowered so you pay higher interest on loans, even though the most intelligent thing to do would be to put a fraud alert on your account all the time, so you would always get notified when someone tried to take out a new account in your name.

Oh yeah, to take advantage of this credit monitoring, I have to go to the website of this credit monitoring company I've never heard of and give them more personal information about myself, so they know it's really me. The social security number isn't enough. They want highly personal information from me, information that would make it even harder for me to distinguish my own activity from that of a criminal if they lost it. Why do they need to know that? Just notify me if someone takes out a new account. They have my name, social security number and address, for pity's sake.

As far as the employee who lost the laptop: It's fine to say that he/she violated policy by using a device not issued by the employer. But these same Blues plans require "providers" to use Internet Explorer to check eligibility or get prior authorization for procedures. They don't provide their own software for that purpose, and they don't provide a list of the URLs that need to be added to the IE "Trusted Zone," either. Lots of their "providers" are solo or small group professionals who don't have IT departments to know how to customize their computers to limit which sites employees can visit. The Blues honestly expect that all those small businesses will have their employees using IE as the default browser, and that it will be set to the lowest security setting for all web sites visited. So with that background, if you were a Blues employee, which storage device would you trust -- your own laptop, that has been under no one's control but your own, or one issued by the Blues and used by who knows what other employees? The employee didn't have to be careless about the laptop, either. No one expects his home to be burglarized, but plenty of laptops are lost that way.

User avatar
You are kiillllling-a my bizinisss!
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Re: Blue Cross Blue Shield Association data breach

Postby meep » Sat Oct 10, 2009 3:46 pm

Nearlly of us, particularly those who live in the USA, who do not live "off the grid" will have our data breached at some point. It is inevitable given the odds of how many places store your personal info even if it is old: schools, local, state and federal governments, hospitals, current and former employers, potential employers, retail stores, credit card companies,credit reporting agencies, gas companies, electric companies, banks, on and on. And we know a lot of personal data of US citizens is outsourced to other countries in call centers in Asia and other places.

I think the difference now in part is, in most US states victims of stolen data have to be notified, where as just a few short years ago it was not a requirement. The stealing of personal data has been going on a long time, but with so much now linked online, and so much data now is digitalized, theft is more rampant.

At least in the European Union, privacy matters matter a bit more where this information cannot be bought and sold as it is in the US. The potential for abuse and loss of data in the US is much higher with this in mind.
User avatar
Spammers' Nightmare
Posts: 2777
Joined: Thu Apr 05, 2007 4:10 pm

Re: Blue Cross Blue Shield Association data breach

Postby AlphaCentauri » Sat Oct 10, 2009 4:19 pm

But the breached data is only valuable if secrecy is assumed to be the default state of affairs. With SSN's, it never was.

I learned mine in high school to label the "bubble forms" for my college aptitude tests, and I've been handing it out to people who claim they need it ever since. The problem isn't that people have it, it's that banks got the idea that no one else besides me ought to have it, therefore they can ask for it, and if I can provide it, I have proved who I am. That's a crazy assumption, really.
User avatar
You are kiillllling-a my bizinisss!
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Return to Identity Theft and Carding

Who is online

Users browsing this forum: No registered users and 1 guest