Blue Cross and Blue Shield of Florida, dba Florida Blue, has announced to the public that the personally identifiable information of a small number of insurance applicants has been improperly accessed online.
Florida Blue discovered to the exposure of patient data in late August 2017 and immediately initiated a review. Florida Blue reports that the showed that 475 insurance applications had been saved to the cloud by an unaffiliated insurance agent, Real Time Health Quotes (RTHQ).
The data backup incorporated agency files and some copies of health, dental, and life insurance applications from the time period 2009-2014. Those files were left accessible as an unsecured cloud server was utilized to store the backup files. As a direct result of this, those files could have been obtained by the public via the Internet.
Though data access and theft of personally identifiable information could still occur, Florida Blue has not been made aware that any of the exposed information has been used for malicious aims.
The files contained information including the names of applicants, dates of birth, demographic information, medical histories, Social Security numbers, and restricted banking and payment information. In the aftermath of finding out that information had been left unsecured, RTHQ took steps to address the flaw and the information is no longer open to be obtained by unauthorized people.
The breach incident was found by Florida Blue on August 30, 2017, and patients were made aware of it by mail correspondence in late October. Despite the fact that Florida Blue was not to blame for the breach, and has no partnership with RTHQ, affected applicants have been offered 24 months of identity theft protection services without charge. Florida Blue said it is still looking into the incident, and is trying to ascertain how RTHQ gained access to the application information and why the information was saved on an unsecured cloud server.
The breach report filwd to the Department of Health and Human Services’ Office for Civil Rights shows that 939 individuals have been impacted by the HIPAA breach incident.