How Physicians' SSNs Were ExposedBlue Shield of California Mistake Leads to Breach
Several Blue Shield of California spreadsheet reports inadvertently containing the Social Security numbers of 18,000 physicians and other healthcare providers were released 10 times by the state's Department of Managed Health Care .
In California, health plans electronically submit monthly to DMHC a roster of all physicians and other medical providers who have contracts with the insurers. Those rosters are supposed to contain the healthcare providers' names, business addresses, business phones, medical groups and practice areas. DMHC makes those rosters available to the public, upon request.
In May, an analyst at DMHC discovered that spreadsheet rosters submitted by Blue Shield of California for February, March and April 2013 mistakenly contained Social Security numbers for a total of about 18,000 medical providers, DMHC privacy officer Sarah Ream tells Information Security Media Group.
DHMC had released those rosters, including Social Security numbers, 10 times between March 2013 and April 2014 in response to public record request by several entities, including competing health plans and media outlets, she says. Ream says such requests "are not unusual."
As a result of the inappropriate disclosure of personally identifiable information, both DHMC and Blue Shield have reported the incident to California's attorney general; they are also notifying the affected physicians, Ream says.
While DMHC says in a public statement that there is no evidence that any of the personal information contained in the rosters has been misused, Blue Shield of California is offering the affected providers a free year of credit monitoring to protect against identity theft.
In the wake of the incident, DHMC also has deployed a data loss prevention system to assess all roster reports submitted by Blue Shield of California, as well as all other health plans in the state, since 2003, Ream says. The DLP software will scan "hundreds of thousands of documents" for confidential information such as Social Security numbers that should not be contained in the reports, she says. Additionally, all documents released by DHMC from here on will also undergo "an eyeball check by humans" before any information is disclosed, she says.
DHMC is also notifying the 10 entities who received the rosters containing the medical providers' Social Security numbers, asking that the CDs on which DHMC supplied the information be returned and any subsequent copies destroyed, Ream says.
Blue Shield Responds
In a statement provided to ISMG, Blue Shield of California says: "The Department of Managed Health Care recently notified us that the Social Security numbers of some of our contracted physicians were mistakenly included in filings we submitted in 2013. While we have no reason to believe any personal information was compromised, we have worked with DMHC to notify the affected providers and to offer them free credit monitoring for one year. We have taken several steps to prevent this mistake from happening again."
For example, the insurer says it has "revised our procedures for preparing and submitting provider rosters to the DMHC. This new process includes multiple levels of data review and validation before filing documents with the DMHC."
Some security and privacy experts say that, unfortunately, incidents involving inadvertent seepage of sensitive data in documents such as spreadsheets or e-mails are common.
"As so many of these incidents demonstrate, there is a great need for more comprehensive and more frequent training of employees on both privacy and security in the healthcare industry," says Dan Berger, CEO of security consulting firm Redspin. "Electronic data exchange has really changed the playing field in the industry, and I don't think user training in these areas has caught up with it."
Several mistakes apparently led to the breach, Berger says. For starters, Blue Shield of California should not have sent rosters containing Social Security numbers in the first place. But having done so, they should have marked those documents "confidential," he says. "This appears to be a workforce training issue. At the same time, Blue Shield did not release [the information] to the public so the actual breach responsibility lies with DMHC," he says. "While the agency needs to be responsive to public requests for information, clearly not enough controls were in place to prevent the further inadvertent disclosure of sensitive information to the public."
Organizations can take several steps to prevent these kinds of breaches from occurring, Berger says.
"The rule of thumb on inadvertent disclosures seems to be 'the more automated the process, the greater the likelihood of a large breach,'" he notes. "This is really where DLP solutions can come into play. In this particular case, it looks like the breadth of the breach was fairly limited so I would suggest that the DLP solution would have helped more on the Blue Shield side. DMHC appears to have a lack of employee oversight."
In terms of DMHC's plan to attempt retrieving the disclosed reports containing the physicians' Social Security numbers, that's a bit like "getting the horse back in the barn," he says. "Of course, one can never be fully sure that remediation steps have been successful," he says. "I commend the actions of DMHC in requesting that the recipients of the inadvertent disclosure return or destroy the sensitive data. We'd generally recommend asking for a signed, written attestation of that action, as well."