Puerto Rican Breach Affects 400,000Insurer Claims a Competitor Accessed a Database
Triple-S Management Corp., a holding company that runs Blue Cross and Blue Shield plans and serves as a government contractor, said in a recent 10-Q securities filing that a competitor informed it that "certain of our competitor's employees" accessed the database without permission Sept. 9-15. The filing was originally reported at phiprivacy.net
The database included information pertaining to individuals previously insured under the government health plan that was managed by a Triple-S subsidiary, as well as information about the independent practice associations that provided services to those individuals.
"The database intrusion may have potentially compromised protected health information of approximately 398,000 beneficiaries," according to the 10-Q filing. The company said its investigation also revealed that protected health information of approximately 5,500 government health insurance plan beneficiaries and 2,500 Medicare beneficiaries, plus certain independent practice association data, was inappropriately accessed through multiple intrusions into the database from October 2008 to August 2010. The information accessed did not include Social Security numbers, the company said, but it did not reveal what other information was accessed.
Breach Incident CauseThe company determined that the security breaches were the result of unauthorized use of one or more active user IDs and passwords for the database, according to its 10-Q filing. "We cannot at this time determine the purpose of these breaches and do not know the extent of any fraudulent use of the information or its impact on the potentially affected individuals and IPAs," the company said. "We believe, however, that the most likely target was financial information related to IPAs rather than the individuals' information. During the course of our investigation, we learned that there may have been improper uses of the IPA passwords by one or more consultants working for the IPAs."
Triple-S Management said it has strengthened its server security and credentials management procedures and is assessing all security measures.
The Puerto Rico Department of Health notified the U.S. Department of Health and Human Services' Office for Civil Rights of the incident, which added it to its list of major health information breaches. Triple-S Management is listed as a business associate of the department.
In terms of the number of individuals potentially affected, the incident ranks as the fourth largest reported to OCR since it began tallying the list in September 2009, as required under the HITECH Act.
Puerto Rican authorities have hit a Triple-S unit with a $100,000 fine for the breach, which the company is appealing, according to its 10-Q filing.