Boise-based Blue Cross of Idaho is notifying some of its patients of a data breach, caused by a hack on its provider portal.

According to officials, the portal was breached on March 21 in an attempt to fraudulently reroute financial transactions made by providers. Access was shut off and the portal was secured within the day. On March 22, officials determined the hacker was able to access provider remittance data, which contained protected health information.

The compromised data included patient names, subscriber or enrollee numbers, dates of service, provider names, patient account numbers, claims number and payment data, and procedure codes. Social Security numbers, driver’s licenses, banking details, and diagnoses were not breached during the security incident.

The hack was reported to the FBI, which launched an investigation. Further, officials said their internal cybersecurity and financial leaders are working with outside experts to review the impacted portal and the associated financial transactions.

The investigation determined the hackers were able to access the patient data for about 1 percent of Blue Cross of Idaho’s membership, officials said. The insurer is still working with the FBI on its investigation, in addition to reviewing its online and portal security to ensure data is protected.

Members will receive new ID cards with new membership numbers within the next few weeks. Further, official said they’re offering patients three years of free credit monitoring and identity theft restoration services. Typically, breached organizations offer just one year of credit monitoring services for impacted patients. The extended time period provided by Blue Cross likely reflects the nature of the hack: attempted fraud.

“While the provider remittance documents did not include any member’s bank account or credit card information, Blue Cross of Idaho still recommends that members remain vigilant to the possibility of fraud and identity theft by reviewing their bank, credit card and other financial statements for any unauthorized activity,” officials said in a statement.

“Members should contact their bank directly if they would like to place an alert on their bank account or change their bank account number,” they added.

Officials are continuing to review financial accounts and the provider portal to ensure only legitimate transactions are going through the system. The insurer will also make “continuous improvements to its provider portal and online security based on the results of this investigation and best practices used across the industry.”

The Blue Cross of Idaho breach bears hallmarks to the recently reported Palmetto Health phishing attack. According to officials, the investigation determined the hackers were attempting to gain access to payroll information.

Meanwhile, a recent Proofpoint report found that email fraud attacks on healthcare increased by 473 percent between the first quarter of 2017 and the fourth quarter of 2018.


SOURCE: https://healthitsecurity.com/news/hackers-breach-blue-cross-of-idaho-provider-portal-in-fraud-attempt