Independence Blue Cross says a file containing limited member information was mistakenly posted to a public website that was accessible between April 23 and July 20

A big Blue Cross plan is notifying some plan members of a privacy violation when an employee posted sensitive information on a public website earlier this spring and summer.

Independence Blue Cross, which has 8.5 million plan members in 28 states and Washington, D.C., including 2.5 million members in and around Philadelphia, says a file containing limited member information was mistakenly posted to a public website that was accessible between April 23 and July 20. The plan didn’t say which specific website.

Certain information of about 17,000 plan members was viewable for several months. The information included members’ names, dates of birth, diagnosis codes, provider information and other information used for claim processing purposes but not social security numbers, financial information or credit information, the plan says.

“Another Independence employee notified the privacy office on the same day that they discovered the subject file,” a plan spokesman says. “We quickly launched an investigation to determine the nature and scope of this incident, working with a leading forensics investigation firm to confirm what happened and what information may have been affected.”

Independence Blue Cross provided some detail on how certain plan member information was mistakenly posted.

advertisement

“Our investigation determined that an employee uploaded a file containing limited member information to a public-facing website of the employee’s personal start-up company,” the spokesman says.

For the plan members whose data was exposed, Independence Blue Cross says it is providing certain help such as 24 months of free credit monitoring and identity protection services.

Independence Blue Cross says it is taking measures against any future potential problems, although it didn’t elaborate. “Upon learning of this incident, Independence quickly took steps to ensure the file was permanently removed from the website. Independence reviewed company policies and procedures and implemented additional technical controls to help prevent future incidents of this kind,” the plan says.

Keep up with latest coverage on digital healthcare by signing up for Internet Health Management News today.

advertisement