A major Philadelphia insurer is warning 17,000 members their health information may have been compromised as part of a data breach resulting from employee error.
After launching an investigation in July, Independence Blue Cross determined that an employee uploaded a file containing member information to a public-facing website. The document was accessible between April 23 and July 20.
Although the insurer was unable to determine whether the data was actually accessed, it is warning members that unauthorized users could have viewed their medical information, including diagnosis codes, provider information and other claims-related information.
Independence Blue Cross says the incident did not involve Social Security numbers or financial information.
“Information privacy and security are among our highest priorities,” the company wrote in a notice (PDF) to members. “Independence has strict security measures in place to protect information in its care. Upon learning of this incident, Independence quickly took steps to ensure the file was permanently removed from the website.”
The insurer is offering 24 months of free identity protection services to affected members. It also says it has implemented new technical controls and reviewed its security policies and procedures.
Employee errors continue to be a significant cybersecurity hurdle for healthcare organizations, with insiders making up a significant portion of data breaches. Most health IT executives see employees as their biggest threat.
While providers make up the vast majority of reported breaches, insurers have been hit with some of the largest incidents. Most notably, Anthem was hit with an attack in 2015 that affected nearly 80 million members and ultimately led to a $115 million settlement.