Feodora - stock.adobe.com

BCBS of Massachusetts Reports Third-Party Vendor Data Breach

Blue Cross and Blue Shield (BCBS) of Massachusetts reported a third-party vendor data breach involving its pension plan payment vendor.

Blue Cross and Blue Shield (BCBS) of Massachusetts began notifying 4,855 individuals of a third-party vendor data breach, a notice on the Maine Attorney General’s Office website stated.

The breach originated at LifeWorks US, a vendor used by BCBS of Massachusetts and BCBS of Massachusetts HMO Blue for services related to pension plan payments.

On May 17, 2022, a now former LifeWorks employee emailed spreadsheets containing identifiable information to their personal email address and copied the personal email address of another former LifeWorks employee.

“The former employee says this was done to preserve a formula in the spreadsheet for future use and that the former employee attempted to delete the personally identifiable data in the spreadsheets before sending them, but inadvertently left some information in the spreadsheet, including yours,” the letter stated.

“The former employees have told LifeWorks and their subsequent employer that they did not share the spreadsheets with anyone else and deleted the email and spreadsheets from their personal email accounts.”

LifeWorks notified BCBS of the incident on June 20. The spreadsheets included names, Social Security numbers, addresses, and some pension benefit information.

“Blue Cross is committed to maintaining the privacy and security of your information and is taking this incident very seriously. Since learning of the event, we have taken steps to determine the data involved, details of the incident, and LifeWorks’ plan to prevent reoccurrence,” the notice stated.

“Our contracts with LifeWorks have always required LifeWorks to keep the information of our current and former employees confidential and to have security procedures in place to minimize data security incidents, and we will continue to take steps to ensure that data held by LifeWorks on Blue Cross’ behalf is adequately secured.”

2021 Benson Health Breach Impacts 29K

North Carolina-based Benson Health began notifying 28,913 individuals of a healthcare data breach. On May 5, 2021, Benson Health discovered that an unauthorized party had attempted to gain access to Benson Health’s computer network.

Further investigation revealed that the unauthorized party potentially accessed a dataset containing names, birth dates, Social Security numbers, and health and treatment information.

Benson Health’s investigation concluded on July 7, 2022, more than a year after the initial incident. HIPAA requires covered entities to notify impacted individuals of a healthcare data breach within 60 days of discovery.

“Unfortunately, cyber-attacks such as this are becoming increasingly common worldwide and the healthcare industry has become particularly vulnerable,” a letter to patients stated.

“We are doing everything we can to prevent a similar criminal attack such as this from happening again.”

AllOne Health Suffers Wire Fraud Incident Impacting 13K

AllOne Health, a third-party administrator of occupational health services and employee assistance programs (EAPs), provided a data breach notification to the Maine Attorney General’s Office regarding a theft incident that impacted 13,669 individuals.

“In February 2022, our finance group learned that certain wire transfers meant for one of our payees were unintentionally routed to a fraudulently created bank account,” the notice stated.

“Immediately upon learning of this fraud, we launched an internal investigation to determine what happened and reported the theft to the FBI and local law enforcement.”

Further investigation revealed that an unauthorized individual gained access to an employee’s email account in order to perpetrate the fraudulent transfers. The investigators found that although the unauthorized individual gained access to some financial documents, their primary goal was to commit wire fraud.

“We have seen no evidence that any personal or sensitive information was acquired or sent outside of our network,” the notice continued.

“However, because the unauthorized individual had access to the employee’s email account and may have viewed such information, we are sending you this notification out of an abundance of caution.”

The unauthorized individual potentially viewed or accessed names, addresses, Social Security numbers, limited health information, and birth dates.

AllOne Health said it immediately shut down all unauthorized access, implemented new security measures, and reset all company passwords.

McLaren Port Huron Impacted by MCG Health Breach

McLaren Port Huron, a 186-bed hospital in Michigan, notified the Office for Civil Rights (OCR) of a healthcare data breach impacting 48,957 individuals. According to a notice on its website, the incident stemmed from a breach at MCG Health, a Seattle-based software company provides patient care guidelines to providers and health plans using artificial intelligence and technology solutions.

As previously reported, MCG Health suffered a data breach in March resulting from unauthorized access. According to a recent entry to the HHS Office for Civil Rights (OCR) data breach portal, the incident impacted 793,283 individuals in total. Since MCG disclosed the breach on June 10, at least nine organizations have come forward and said that they were impacted by the breach.

The affected data included names, addresses, phone numbers, gender, dates of birth, medical codes, and Social Security numbers.

“Due to the delay in McLaren Port Huron receiving notice of this event, we have not conducted our own investigation to determine the probability of an actual compromise of our patients’ data arising from this event,” the notice stated.

“We are therefore issuing this notice on the presumption that a breach, as defined under HIPAA, has actually occurred.”

McLaren Port Huron said it directed MCG Health to notify any impacted patients of the breach.

Next Steps

Dig Deeper on Healthcare data breaches