Highmark BlueCross BlueShield of Delaware is probing a data break which has affected 19,000 payees of employer-paid health policies. The data break affects 2 contractors of Highmark BCBS – BCS Financial Corporation and Summit Reinsurance Services.
Highmark BSBC director of secrecy as well as information supervision, Karen Kane, released a statement stating 16 former and current Highmark self-insured clients have been affected.
Impacted people have now been alerted to the break by post. The break notice letters were dispatched by Summit Reinsurance Services (SummitRe). Customers were notified in the letters that a few of their extremely confidential safeguarded health information had possibly been read by illegal persons.
On August 5, 2016, a ransomware contagion was found by SummitRe, even though a criminal examination of the cyberattack showed that Summit’s systems were first accessed on March 12, 2016. SummitRe expressed in the mails that the forensic inquiry into the break is continuing, even though no direct proof has been revealed to advise that any ePHI saved on the impacted computer network has been used wrongly.
The kinds of data that might possibly have been read include names, medical files pertaining to insurance privileges – including medical analyses, providers’ names, particulars of health cover, Social Security numbers, as well as some medical information.
Patients impacted by the break have been presented one year of credit checking and individuality restoration facilities to safeguard them against fraud and identity theft.
For the time being, particulars of the type of the cyberattack are being kept secret while the inquiry continues. Among the questions that’s possible to be inquired is what occurred during the 5 months between the first incursion and the ransomware contagion.
Frequently after all important information has been gotten, cyberpunks are known to fit ransomware after they no more need access to penetrated systems. In this instance, it’s not clear whether any files were exfiltrated in those 5 months.
SummitRe has been slated for the letter dispatched to affected people because it wasn’t profusely evident who the organization was. Impacted people would have been not likely to have any connections with the organization in the bygone days because insurance policies were provided via their companies.
Insurance Commissioner for Delaware, Trinidad Navarro, stated the letter “seems as though it’s A) and Advertisement, or B) a racket.” Navarro also stated, “Unluckily, we dread that several might have misunderstood or unintentionally rejected the letter.”
One of the data break notice letters was delivered to NBC 10 correspondents by an impacted patient. The date of the letter was January 4, 2016. It’s not clear why it took 5 months for patients to be informed of the break – nearly 10 months after the computer network was wrongly accessed.
HIPAA Break Notice Law Requirements for Alerting People to Data Breaks
The HIPAA Break Notice Law requires protected units to alert people of an alleged ePHI break within 60 days of detection of the break. Previous week, the Division of Health and Human Services’ OCR dispatched a strong communication to protected units concerning the significance of delivering timely break notices. Presence Health of Illinois consented to settle possible breaches of the HIPAA Break Notice Law after OCR investigators knew that it had postponed break notices for 3 months after a 2013 safety occurrence impacting 836 people. Presense Health will pay OCR $475,000 as a portion of the payment deal.
