A file transfer platform used by a major insurer in California may have a vulnerability that caused a massive data breach, potentially exposing millions of patient records to cybercriminals.
Blue Shield of California notified the public about the breach in November, saying personal information including names, birth dates, Social Security numbers and patient ID numbers, as well as personal data on the diagnoses and care patients received, may have been accessed by hackers.
The insurer has 4.5 million members, but the notice does not specify how many individuals are impacted. According to coverage from the East Bay Times, despite the notice from Blue Shield being dated Nov. 10, members only received word last week.
According to the statement, a service called MOVIEit, which Blue Shield uses to transfer and store sensitive patient information, was the victim of the breach. The insurer was notified on Sept. 1 of the attack, which an investigation concluded took place between May 28 and 31.
Only the MOVEit server was compromised, with Blue Shield saying their internal emails and systems were not accessed.
MOVEit is a contractor for other insurers, academic institutions and technology companies, and this latest announcement is only one of many involving the same server breach. In July, the Centers for Medicare and Medicaid services announced 612,000 patients were affected when their personal health information was impacted.
In its notice, Blue Shield said it is providing “members impacted by the MOVEit file transfer tool security breach” with “no-cost credit monitoring and identity restoration services.”