Blue Shield of California Promise Health Plan Announces Data Breach

Richard Console, Jr.
Console and Associates, P.C.
Contact
LinkedIn
Facebook
X
Send
Embed

Recently, Blue Shield of California Promise Health Plan confirmed that the company experienced a data breach related to a sub-contractor that works with one of Blue Shield’s third-party vendors. According to Blue Shield, the breach resulted in the following data types being leaked: names, subscriber ID numbers, diagnoses, medications, addresses, dates of birth, sex, advance directives, family history, social history, allergies, vitals, immunizations, encounter data, assessment ID numbers, and assessment dates. On July 11, 2022, Blue Shield filed official notice of the breach and sent out data breach letters to all affected parties.

If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Blue Shield data breach, please see our recent piece on the topic here.

More Information on the Blue Shield Data Breach

The facts leading up to the Blue Shield breach are complex in that they involve two related companies. The breach first started at a vendor of a subcontractor used by Blue Shield.

According to an official notice filed by the company, on May 20, 2022, Blue Shield of California Promise Health Plan learned that one of the plan’s vendors, Matrix Medical Network, was the victim of a ransomware attack. The Matrix attack was related to an incident at one of the company’s vendors, OneTouchPoint. On April 28, 2022, OneTouchPoint informed Matrix of the incident, and, in turn, Matrix informed Blue Shield of the incident.

Upon learning of the ransomware attack, OneTouchPoint terminated unauthorized access and began an investigation into the incident. The investigation revealed that the unauthorized party had access to plan members’ protected health information.

Upon discovering that sensitive consumer data was accessible to an unauthorized party, Blue Shield then reviewed the compromised files to determine what information was compromised and which plan members were affected. While the breached information varies depending on the individual, it may include your name, subscriber ID number, diagnoses, medications, address, date of birth, sex, advance directives, family history, social history, allergies, vitals, immunizations, encounter data, assessment ID number, and assessment date.

On July 11, 2022, Blue Shield sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.

Blue Shield of California Promise Health Plan is a non-profit health plan offered to California residents, operated by Blue Shield of California. Founded in 1939 in San Francisco, CA, Blue Shield of California provides health, dental, vision, Medicaid and Medicare healthcare service plans in California. Blue Shield of California provides benefits to more than 4.7 members. Blue Shield of California employs more than 7,500 people and generates approximately $21 billion in annual revenue.

Which Companies Can Be Held Responsible for a Data Breach?

Blue Shield noted in its letter to affected patients that the breach stemmed from a ransomware attack at a vendor of one of Blue Shield’s vendors. Based on the available information, it would appear that the unauthorized access did not involve the Blue Shield IT system but the system of OneTouchPoint. Following a data breach, especially one involving multiple companies, victims often wonder which companies can be held accountable for the leaking of their information.

Under U.S. consumer protection and data breach laws, any organization in possession of consumer data has an obligation to protect this information. This includes both those organizations that receive consumers’ information directly from the consumer as well as third-party companies, vendors, service providers and contractors that receive the data second-hand.

In the case of the Blue Shield data breach, there is no indication that Blue Shield was negligent in maintaining its own data security systems. However, depending on how the investigation turns out, it is possible that Blue Shield negligently entrusted consumer data to the third-party service provider.

Of course, OneTouchPoint, or even Matrix Medical Network, could also potentially be independently liable for the breach. Businesses and their data security systems are the first line of defense against cyberattacks. Those businesses that elect not to maintain an adequate data security system jeopardize the safety of the consumer information in their possession.

Data breach laws provide a mechanism for the victims of a data breach to pursue a claim for compensation against the company accountable for the breach. However, determining which company is responsible for a breach requires an in-depth knowledge of these complex laws. Those looking for answers in the wake of the Blue Shield/Matrix/OneTouchPoint data breach should consult with an experienced data breach lawyer to learn more about their rights.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Console and Associates, P.C.

Written by:

Console and Associates, P.C.
Console and Associates, P.C.
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Console and Associates, P.C. on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide