BCBS of Alabama ‘re-evaluates’ USB marketing campaign following backlash over security concerns

Blue Cross and Blue Shield of Alabama sent letters to small business members with a USB card attached.

Blue Cross and Blue Shield of Alabama is reconsidering a marketing campaign involving a USB card attached to a mailer that prompted a flood of online criticism about potential security concerns.

The questionable marketing campaign first came to light on Tuesday when TJ Gamble, CEO of Jamersan, a B2B e-commerce company located in Opelika, Alabama, posted the mailer on Twitter, calling it the “prototype for the next big wave of security breaches.”

In an email to FierceHealthcare, Gamble explained that his company, which uses BCBS of Alabama to provide insurance to its employees, received the letter on Friday. It was addressed to an employee who handles HR at Jamersan.

“I am excited to share with you a series of informational videos you may view by using the attached Web key device,” the letter reads. “Along with your renewal packet, these videos will help you get acquainted with your 2017 plan benefits, tools and services.”

The letter was signed by Rebekah Elgin Council, senior vice president and chief marketing officer at BCBS Alabama. A spokesperson for the company said the mailer was sent to “some of our small business customers” and confirmed that the USB card contained educational videos. She did not respond to questions about how many letters were sent or whether the campaign was reviewed by the IT team.

“It’s definitely a marketing promotion,” Gamble said. “However, if they are organized in a way to let this get out the door then who knows what they will send out to current individual customers?”

Gamble’s initial tweet was retweeted nearly 3,400 times and the insurer's approach was roundly criticized by security and IT professionals online. In a LinkedIn post and a subsequent video, Gamble, who noted that he is not a cybersecurity expert, pointed out the dangers of inserting any unknown device into your computer, and argued that the approach could be easily replicated by cybercriminals.

“The problem is sending these types of mailings adds a legitimacy to delivering these types of devices,” he said in the video. “If I were going to try to exploit a company’s systems, then this is a possible entry point.”

He added that most people are aware that “plugging in unknown, unsolicited USB devices is just a generally accepted bad idea.”

“Blue Cross and Blue Shield of Alabama recognizes the importance of exercising the proper security measures before inserting an unknown device, even from a reputable source, into a computer or electronic device,” a spokesperson told FierceHealthcare. “Due to the current technical environment and breach risks, our company is re-evaluating this communication tool. The security of our customers’ information remains one of our top priorities.”

RELATED: After WannaCry, experts worry healthcare’s vulnerabilities will make the next ransomware attack even worse

Many companies and healthcare organizations have software to block unknown devices, but older systems may be more vulnerable. Much of the online discussion focused on how simple it would be for cybercriminals to replicate the marketing letter and the USB device for malicious purposes.  

In the age of global ransomware attacks and nation-state cybercriminals, the threat of malware from USB devices has largely dissipated. In 2015, the American Dental Association accidentally mailed malware-infected thumb drives to member offices. Four years ago, a Medicare contractor was blamed for putting the information of more than six million beneficiaries at risk by failing to prohibit or restrict unauthorized USB access in its computer systems.