Cybersecurity, Vendors and Stolen Laptops
Blue Cross Blue Shield of Michigan is a medical insurer located in MI. There clients are varied, work for employers- small to large-sized, and are located through the state.
BCBS uses contractors for various roles throughout the company. One vendor is COBX Co. COBX is a wholly owned subsidiary of BCBS. The subsidiary is tasked with the Medicare Advantage Services for their clients. An employee of COBX had their laptop stolen on October 26, 2018. BCBS of Michigan notified approximately 15,000 Medicare Advantage members of a potential breach. The notification was done via letter. While this is not a good things, it is pertinent that at least the laptop was encrypted and did have the password required. Normally, this would be fine if the encryption was above a certain baseline protocol. The problem was the employee’s credentials could have been compromised, meaning the person with the laptop would still be able to access the data.
The affected BCBS customer’s social security numbers and financial information were not accessible from the stolen laptop, fortunately. The data that was available was includes the customer’s first name, last name, date of birth, gender, medication, diagnosis, provider information, and enrollee identification numbers.
There had been no direct evidence the customer’s data had been accessed. With this type of issue, although there is no direct type of evidence of this being used for malicious means, it does not mean it has not been used and no guaranty it won’t be used in the near future. BCBS of Michigan noted there is a low chance of identity theft due to the nature of the data involved. BCBS is offering the affected parties AllClearID identity protection services. The term for this service is two years and is free to the customers potentially at risk. The contractor involved did have his credentials changed once the issue came to light. BCBS of Michigan is working with COBX in reviewing their policies and procedures. They are also putting additional safeguards in place.
Comments, Concerns, etc.
The laptop required a password for access and was encrypted, which required another password. Normally, this may be a non-issue, as with most industry accepted encryption protocols to brute force this or decrypt the data would require several lifetimes. Due to the announcement with the notice of the contractor’s credentials may have been compromised, this nearly leads me to believe the credentials may have been openly accessible as in written on a post-it note on the laptop or otherwise easily acquired.
BCBS of Michigan. (2019, January 2). Data breach affects 15,000 medicare customers of
blue cross blue chield of Michigan. Retrieved from https://www.cisomag.com/data-breach-affects-15000-medicare-customers-of-blue-cross-blue-shield-of-michigan/
Dissent. (2019, January 3). Double whammy: BCBS of Michigan policyholders hit by two breaches in December. Retrieved from https://www.databreaches.net/double-whammy-bcbs-of-michigan-policyholders-hit-by-two-breaches-in-December/
Haefner, M. (2018, December 31). BCBS of Michigan: Data breach may have affected 15,000 medicare members. Retrieved from https://www.beckershospitalreview.com/player-issues/bcbs-of-michigan-data-breach-may-have-affected-15-000-medicare-members.html
HIPAA Journal. (2018, December 31). 15,000 customers notified about blue cross blue shield of Michigan data breach. Retrieved from https://www.hipaajournal.com/15000-customers-notified-about-blue-cross-blue-shield-of-michigan-data-breach/
Livengood, C. (2018, December 28). Blue cross alerts 15,000 medicare customers of potential data breach. Retrieved from https://www.crainsdetroit.com/insurance/blue-cross-alerts-15000-medicare-customers-potential-data-breach
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.