FBI investigating Blue Cross of Idaho data breach. Here’s what you need to know

Posted at 1:36 PM, Apr 12, 2019
and last updated 2019-04-12 17:00:57-04

MERIDIAN — Blue Cross of Idaho Health Service, Inc. says someone accessed its provider portal and obtained protected health information for 5,600 of its members.

“On March 21 (of this year), an unauthorized user accessed Blue Cross of Idaho’s online provider portal with the intent of fraudulently rerouting a provider financial transaction. Blue Cross of Idaho stopped the attempted financial fraud and secured the portal. On March 22, Blue Cross of Idaho determined the unauthorized user was able to access provider remittance documents, which contained personal health information” according to a Blue Cross news release.

The information the unauthorized user had access to includes member names, enrollee/subscriber number, date of service, healthcare provider name, the provider’s patient account number, claim number, claims payment information and procedure code. The information did not include any member’s Social Security number, driver’s license number, banking or credit card numbers or information about medical diagnoses.

Blue Cross of Idaho has reported the incident to the FBI. “Blue Cross of Idaho has also engaged internal and external cybersecurity and financial experts to review the provider portal and associated financial transactions. Based on the results of the investigation, (we) believe that the attacker was able to access information for approximately one percent of its overall membership,” the news release said.

Blue Cross is cooperating with the FBI investigation and is continuing to review its provider portal and online security to ensure its members’ data is safe.

Blue Cross is not aware of any improper use, or attempted use, of this information, but is actively taking steps to protect its members. “In the next seven to ten business days, most members will receive a new member ID card with a new member number. Any member that experiences problems using their benefits before receiving their new card is encouraged to call Blue Cross of Idaho’s Customer Service Department at 986-224-4154 or toll free at 833-623-7995,” the news release said.

To help protect members’ identities, Blue Cross is offering a complimentary three-year membership for credit monitoring and identity theft restoration services. Each affected member is receiving a personal notification letter with instructions on how to enroll in this service.

“Blue Cross recommends that all impacted members review their Explanation of Benefits (EOB) statements. If any member finds healthcare services listed on their EOB that they did not receive, they are strongly encouraged to contact Blue Cross of Idaho immediately,” the news release said.

While the provider remittance documents did not include any member’s bank account or credit card information, Blue Cross of Idaho still recommends that members remain vigilant to the possibility of fraud and identity theft by reviewing their bank, credit card and other financial statements for any unauthorized activity. Members should contact their bank directly if they would like to place an alert on their bank account or change their bank account number.

“Blue Cross of Idaho takes this incident seriously and has taken multiple actions in response,” the news release said. “It’s removed the unauthorized user’s access to the provider portal as soon as it was discovered … reported the incident to the FBI and is cooperating fully with the investigation … and has also engaged both internal and external cybersecurity experts to review the incident. Blue Cross of Idaho is reviewing its financial accounts and provider portal to ensure that only legitimate transactions are occurring.”

If any member has questions or needs additional information, they can call the Blue Cross of Idaho Customer Service Department at 986-224-4154 or toll free at 833-623-7995.

Blue Cross of Idaho is a not-for-profit mutual insurance company based in Meridian.