Personally identifiable information of a limited number of insurance applicants has been exposed online, according to an announcement by Blue Cross and Blue Shield of Florida, dba Florida Blue.
Florida Blue was made aware of the exposure of patient data in late August and quickly launched an investigation. Florida Blue reports that the investigation showed 475 insurance applications had been loaded to the cloud by an unaffiliated insurance company, Real Time Health Quotes (RTHQ).
The data backup was composed of agency files and copies of health, dental, and life insurance applications from 2009 to 2014. Those files were left exposed as an unsecured cloud server was used to hold the backup files. Due to this, those files could have been seen by the public via the Internet.
While data access and theft of personally identifiable information could still result from this breach, Florida Blue has received no reports that any of the exposed data has been used for malicious purposes.
The files held information such as the names of applicants, dates of birth, demographic information, medical histories, Social Security details, and limited banking and payment information. Following the discovery that information had been left accessible, RTHQ took steps to fix the vulnerability and the information is no longer available to unauthorized individuals.
The incident was identified by Florida Blue on August 30, 2017, and patients were alerted of the breach by mail in late October. Even though Florida Blue was not to blame for the breach, and has no partnership with RTHQ, affected applicants have been contacted and offered two years of identity theft protection services for free. Florida Blue said it is still reviewing the incident, and is trying to discover how RTHQ obtained the application information and why the information was held on an unsecured cloud server.
The breach report made to the Department of Health and Human Services’ Office for Civil Rights states that 939 individuals have been affected by the incident.