Posted On July 19, 2022 Consumer Privacy & Data Breaches
July 19, 2022 – Recently, Blue Shield of California Promise Health Plan reported a data breach affecting certain members stemming from a ransomware attack at one of the plan’s subcontractors, Matrix Medical Network. According to Blue Shield, the breach resulted in the following data types being leaked: name, subscriber ID number, diagnoses, medications, patient address, date of birth, sex, advance directives, family history, social history, allergies, vitals, immunizations, encounter data, assessment ID number, and assessment dates. On July 11, 2022, Blue Shield of California Promise Health Plan filed an official notice of the breach and began sending data breach letters to affected members.
If you received a data breach notification, it is essential you understand what is at risk. The data breach lawyers at Console & Associates, P.C. are actively investigating the Blue Shield data breach on behalf of people whose information was exposed. As a part of this investigation, we are providing free consultations to anyone affected by the breach who is interested in learning more about the risks of identity theft, what they can do to protect themselves, and what their legal options may be to obtain compensation from Blue Shield of California Promise Health Plan.
The facts leading up to the Blue Shield breach are complex in that they involve two related companies. According to an official notice filed by the company, on May 20, 2022, Blue Shield of California Promise Health Plan learned that one of the plan’s vendors, Matrix Medical Network, was the victim of a ransomware attack. The Matrix attack was related to an incident at one of the company’s vendors, OneTouchPoint. On April 28, 2022, OneTouchPoint informed Matrix of the incident, and, in turn, Matrix informed Blue Shield of the incident.
Upon learning of the ransomware attack, OneTouchPoint terminated unauthorized access and began an investigation into the incident. The investigation revealed that the unauthorized party had access to plan members’ protected health information.
Upon discovering that sensitive consumer data was accessible to an unauthorized party, Blue Shield then reviewed the compromised files to determine what information was compromised and which plan members were affected. While the breached information varies depending on the individual, it may include your name, subscriber ID number, diagnoses, medications, address, date of birth, sex, advance directives, family history, social history, allergies, vitals, immunizations, encounter data, assessment ID number, and assessment dates.
On July 11, 2022, Blue Shield sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.
Blue Shield of California Promise Health Plan is a non-profit health plan offered to California residents, operated by Blue Shield of California. Founded in 1939 in San Francisco, CA, Blue Shield of California provides health, dental, vision, Medicaid and Medicare healthcare service plans in California. Blue Shield of California provides benefits to more than 4.7 members. Blue Shield of California employs more than 7,500 people and generates approximately $21 billion in annual revenue.
At Console & Associates, P.C., our consumer privacy lawyers monitor all security and data breaches to help affected consumers pursue their legal remedies. We offer free consultations to victims of data breaches and can explain your rights in clear, understandable terms so you can make an informed decision about how to proceed with your case. If you’ve been affected by the Blue Shield data breach or any other data security incident, Console & Associates, P.C., will investigate your case at no charge and offer you thorough advice about how to most effectively proceed with your case. If you decide to bring a case, we only get paid if you do. If your claim is successful, any legal fees are either paid by the defendant or come out of the funds recovered from the defendant. If your claim doesn’t result in a recovery, you will pay nothing.
Below is a copy of the initial data breach letter issued by Blue Shield of California Promise Health Plan (the actual notice sent to consumers can be found here):
I am the Chief Privacy Official for Blue Shield of California Promise Health Plan. It is my job to help protect the privacy of our members’ protected health information and to investigate any incident where a member’s protected health information may have been improperly accessed, used or disclosed in violation of the Health Insurance Portability and Accountability Act (HIPAA) and other privacy laws. I am writing to notify you about a privacy incident that may have impacted your protected health information. Please accept our sincere apologies for any concern this may cause you.
On May 20, 2022, Blue Shield learned that a subcontractor of a Blue Shield vendor, Matrix Medical Network (‘Matrix’), was the victim of a ransomware event. On April 28, 2022, Matrix’s subcontractor, OneTouchPoint (‘OTP’), detected suspicious network activity and confirmed a threat actor had infiltrated OTP’s servers. Matrix notified Blue Shield about the incident on June 16, 2022; your protected health information may have been accessed.
Upon discovery, OTP immediately terminated the unauthorized access and began an investigation into the matter. The investigation revealed that the unauthorized user may have had potential access to members’ protected health information. We are unable to confirm if the unauthorized user used, collected, transferred, or downloaded this information. However, out of an abundance of caution, Blue Shield is notifying you of this incident.
WHAT INFORMATION WAS INVOLVED
Your protected health information that may have been accessed included your name, subscriber ID number, diagnoses, medications, patient address, date of birth, sex, physician demographics information, advance directives, family history, social history, allergies, vitals, immunizations, encounter data, assessment ID number, and assessment date.
There was no access to other types of your protected health information, such as your Social Security number, driver’s license number, or banking or credit card information.
WHAT WE ARE DOING
Blue Shield takes this incident very seriously. We are committed to maintaining your privacy. OTP immediately terminated the unauthorized access, took mitigation actions, and began an investigation into the matter. OTP is also evaluating the need for additional steps and will continue to make security improvements.
To help protect your identity, Blue Shield is offering you complimentary access to Experian IdentityWorksSM for one year.
If you believe there was fraudulent use of your information as a result of this incident and would like to discuss how you may be able to resolve those issues, please reach out to an Experian agent. If, after discussing your situation with the agent, it is determined that identity restoration support is needed, an Experian Identity Restoration agent will be available to work with you to investigate and resolve each incident of fraud that occurred from the date of the incident (including, as appropriate, helping you with contacting credit grantors to dispute charges and close accounts; assisting you in placing a freeze on your credit file with the three major credit bureaus; and assisting you with contacting government agencies to help restore your identity to its proper condition).
Please note that Identity Restoration is available to you for one year from the date of this letter and does not require any action on your part at this time. The Terms and Conditions for this offer are located at [Redacted].
While identity restoration assistance is immediately available to you, we also encourage you to activate the fraud detection tools available through Experian IdentityWorks as a complimentary one-year membership. This product provides you with superior identity detection and resolution of identity theft. To start monitoring your personal information, please follow the steps below:
If you have questions about this product, need assistance with Identity Restoration that arose as a result of this incident or would like an alternative to enrolling in Experian IdentityWorks online, please contact Experian’s customer care team at (833) 420-2831 by October 31, 2022. Be prepared to provide engagement number [Redacted] as proof of eligibility for the Identity Restoration services by Experian.