top of page

Cybersecurity, Vendors and Stolen Laptops

Blue Cross Blue Shield of Michigan is a medical insurer located in MI. There clients are varied, work for employers- small to large-sized, and are located through the state.


BCBS uses contractors for various roles throughout the company. One vendor is COBX Co. COBX is a wholly owned subsidiary of BCBS. The subsidiary is tasked with the Medicare Advantage Services for their clients. An employee of COBX had their laptop stolen on October 26, 2018. BCBS of Michigan notified approximately 15,000 Medicare Advantage members of a potential breach. The notification was done via letter. While this is not a good things, it is pertinent that at least the laptop was encrypted and did have the password required. Normally, this would be fine if the encryption was above a certain baseline protocol. The problem was the employee’s credentials could have been compromised, meaning the person with the laptop would still be able to access the data.


The affected BCBS customer’s social security numbers and financial information were not accessible from the stolen laptop, fortunately. The data that was available was includes the customer’s first name, last name, date of birth, gender, medication, diagnosis, provider information, and enrollee identification numbers.


There had been no direct evidence the customer’s data had been accessed. With this type of issue, although there is no direct type of evidence of this being used for malicious means, it does not mean it has not been used and no guaranty it won’t be used in the near future. BCBS of Michigan noted there is a low chance of identity theft due to the nature of the data involved. BCBS is offering the affected parties AllClearID identity protection services. The term for this service is two years and is free to the customers potentially at risk. The contractor involved did have his credentials changed once the issue came to light. BCBS of Michigan is working with COBX in reviewing their policies and procedures. They are also putting additional safeguards in place.

Comments, Concerns, etc.

The laptop required a password for access and was encrypted, which required another password. Normally, this may be a non-issue, as with most industry accepted encryption protocols to brute force this or decrypt the data would require several lifetimes. Due to the announcement with the notice of the contractor’s credentials may have been compromised, this nearly leads me to believe the credentials may have been openly accessible as in written on a post-it note on the laptop or otherwise easily acquired.


BCBS of Michigan. (2019, January 2). Data breach affects 15,000 medicare customers of

blue cross blue chield of Michigan. Retrieved from

Dissent. (2019, January 3). Double whammy: BCBS of Michigan policyholders hit by two breaches in December. Retrieved from

Haefner, M. (2018, December 31). BCBS of Michigan: Data breach may have affected 15,000 medicare members. Retrieved from

HIPAA Journal. (2018, December 31). 15,000 customers notified about blue cross blue shield of Michigan data breach. Retrieved from

Livengood, C. (2018, December 28). Blue cross alerts 15,000 medicare customers of potential data breach. Retrieved from

About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.

Featured Posts
Check back soon
Once posts are published, you’ll see them here.
Recent Posts
Search By Tags
No tags yet.
Follow Us
  • Facebook Basic Square
  • Twitter Basic Square
  • Google+ Basic Square
bottom of page