Blue Shield of California discloses data breach, number of members impacted unclear

Data on Blue Shield of California members may have been exposed due to a vulnerability in the MOVEit file transfer platform.

The insurer was notified on Sept. 1 by a vendor that indicated it was a victim of the data breach. The vendor found on Aug. 23 that an unauthorized user had tapped into information in the MOVEit server and then took the server offline. After an investigation, it was discovered that this third party extracted data from the server on May 28 and May 31, according to a notice posted by the insurer last month.

The notice does not disclose how many members may have been impacted by the breach, but the insurer said that accessed information may include names, birth dates, addresses, Social Security numbers, group ID numbers, patient ID numbers and vision care diagnoses and treatment information.

Blue Shield said there is "no evidence" that its systems or emails were accessed in the breach.

"Blue Shield members impacted by the MOVEit file transfer tool security breach are being provided with no-cost credit monitoring with identity restoration services," the payer said in the notice. "Blue Shield takes this situation very seriously and is committed to protecting the privacy of members."

Following its identification of the breach and investigation, the vendor rebuilt the MOVEit server "with gold standard build requirements," and took multiple steps to verify the new security protocols before taking it online.

Data from the Centers for Medicare & Medicaid Services and Oregon Health Plan was also exposed as part of a vulnerability in the MOVEit platform that was identified in May.