Was Blue Cross and Blue Shield of New Mexico Breached, Or Did They Mishandle PHI/PII of Former Clients On February 3, 2023

      PHI/PII (Protected Health Information and Personally Identifiable Information) is protected by HIPAA (Health Insurance Portability and Accountability Act.) There are rules governing the storage, use, access, and disposal of PHI/PII by "covered entities." These Rules are set forth in the 'Security Rule.'

    Blue Cross and Blue Shield's email on February 3, 2023 constituted a data breach under HIPAA. Whether it was internal or external, major or minor are unknown. PHI/PII was accessed and used without legitimate reason, it was USED IMPROPERLY.

 

    What happened on February 3, 2023?  

    Emails were sent out, branded as being sent by "Blue Cross and Blue Shield of New Mexico." Those emails contained the Subject "Claim Notification," and were sent to persons who no longer used Blue Cross and Blue Shield of New Mexico.

These emails:

    1. contained PHI/PII that Blue Cross and Blue Shield of New Mexico collected from former clients, while those clients were "members" of Blue Cross and Blue Shield of New Mexico,

    2. were stripped of BCBS/NM contact information, 

    3. were sent through and linked to a 3rd party server outside BCBS/NM's control, with all links pointing to that 3rd party server, and 

    4. lacked actual claim information.  

     A SECOND email was sent to some recipients on the evening of February 3, 2023. It was very similar to the first email, the formatting was slightly different, as was the wording. The 3rd party relay was the same, and the links again pointed to the 3rd party website.

These are Classic "data breach" and phishing exploitation red flags. 

     These emails were sent to FORMER BCBS/NM clients. Instead of securing former BCBS/NM client data, as required by the HIPAA Security Rule it was left to either be seized in a breach and exploited, or was used internally and intentionally (possibly as test data.)

    When BCBS/NM was contacted about the emails, they said that people shouldn't worry, that the emails were "accidentally sent." and were "automatically generated." When pressed, BCBS/NM could not explain how the emails were sent, nor would they explain how the PHI/PII was stored, or who had accessed it to send the emails.

    BCBS/NM is wrong. People SHOULD worry. The emails were sent, they were not necessary, their sending required accessing PHI/PII.

    Any time you receive an email from a person or entity that you no longer  do business with, utilizing data that is supposed to be protected, and which appears to be the result of a breach and/or phishing operation there is an issue. When it is HEALTHCARE related, it is a serious issue, when it involves PHI/PII it becomes a serious problem.

    There are a few issues with their explanation, and their handling of it. These issues involve HIPAA accountability, BCBS/NM's handling of PHI/PII, and truth in the face of accident, error, improper data use, or breach.

    No matter how "small" a Data Breach appears, all Breaches MUST be dealt with seriously. Allowing the continued culture of permissiveness with our data and lackadaisical approach to security that major corporations take has led to the 100s of MEDICAL INDUSTRY data breaches we've seen in the last 2 years, and the MILLIONS of patient records exposed in those breaches.

    Blue Cross and Blue Shield of New Mexico actively covered up the issue, when contacted. They lied about it. They said it was "nothing to worry about."

Data was stored, accessed, and used improperly. Whether it was being used as test data, was in a database of active users, or a breach occurred the data was accessed by persons without a need for access, and was used improperly.

    Blue Cross and Blue Shield needs to fully account for what happened. They need to own and accept that data was improperly access and used. They need to create an internal culture that does not excuse inappropriate handling of PROTECTED HEALTH INFORMATION AND PERSONALLY IDENTIFIABLE INFORMATION. No matter how "small" the inappropriate access, handling, or use incident appears.

    The Security Rule has been around since 2003. Until Providers start taking it seriously, until there's a culture shift from "Most Convenient for the Company" to "Protecting Patient Data," we are going to keep seeing data breaches, and corporations making excuses, including "it's no big deal, don't worry about it." It's our data, we have a RIGHT to be worried, and 20 years on, we have a right to be angry that it's still going on.