On September 5, 2023, Blue Cross and Blue Shield of Montana (BCBSMT) notified members concerning a data incident affecting their protected health information (PHI). Following regulatory requirements, BCBSMT sent letters to individuals with self-funded employer group health plans or previous health insurance coverage with them. The communication aimed to provide transparency and guidance in light of the recent breach.
"On June 15, 2023, we became aware that your PHI may have been inadvertently disclosed to an unauthorized party between September 19, 2022, and May 18, 2023," said BCBSMT in their letter. The organization clarified that this issue arose during customer service interactions handled by their vendor, TTEC.
"On June 15, 2023, we became aware that your PHI may have been inadvertently disclosed to an unauthorized party between September 19, 2022, and May 18, 2023,"
The investigation revealed that employees at TTEC inappropriately delegated calls to non-TTEC individuals, resulting in the possible exposure of sensitive information. BCBSMT has confirmed that "the investigation did not find any evidence that your information was used in any way other than to perform work for BCBSMT."
The scope of the data in question included a variety of personal details. "The information that may have been disclosed included your name, date of birth, group number, subscriber number, address, phone number, claim number (DCN), medical service information, and Social Security Number," the letter outlined, bringing clarity to the gravity of the incident.
"The information that may have been disclosed included your name, date of birth, group number, subscriber number, address, phone number, claim number (DCN), medical service information, and Social Security Number,"
Looking Ahead
In light of these findings, BCBSMT took swift action concerning the employees implicated in the breach. "BCBSMT confirmed that the vendor, TTEC, terminated the employees involved in the incident," they stated. Furthermore, TTEC has since amended their hiring protocols and security measures to mitigate the risks of similar occurrences in the future.
"BCBSMT confirmed that the vendor, TTEC, terminated the employees involved in the incident,"
Impact and Legacy
To assist impacted members, BCBSMT is providing complimentary identity theft protection services through IDX, a subsidiary of ZeroFox. This offer includes 12 months of credit monitoring, 24 months of CyberScan monitoring, insurance against losses up to $1 million, and fully managed identity theft recovery services. BCBSMT reassured members saying, "With this protection, IDX will help you resolve issues if your identity is compromised. This product is completely free to you and enrolling in this program will not affect your credit score."
"To enroll in IDX credit monitoring, scan the QR code at the bottom of this letter, go to https://app.idx.us/account-creation/protect, and follow the instructions for enrollment using your Enrollment Code provided at the top of this letter or call IDX directly at 1-800-939-4170. Please note the deadline to enroll is November 24, 2023. Due to privacy laws, we cannot register you directly," the organization emphasized.
While BCBSMT reiterated there is no belief that the data has been misused, they encouraged members to stay vigilant. “We have no reason to believe that anyone has accessed or misused your data,” they stated, while still highlighting precautionary measures individuals may take. Members are encouraged to regularly review explanation of benefits statements and to reach out directly if they notice discrepancies.
Beyond the provided identity protection services, BCBSMT urged members to be proactive in monitoring their accounts for any signs of identity theft or fraud. They provided resources detailing how members can obtain their free annual credit reports and offered guidance on immediate steps to take should they suspect identity theft.
"It is always advisable to be vigilant for incidents of fraud or identity theft by reviewing your account statements and free credit reports for any unauthorized activity," they advised.
"It is always advisable to be vigilant for incidents of fraud or identity theft by reviewing your account statements and free credit reports for any unauthorized activity,"
If members suspect that their personal information is being misused, they were recommended to contact the Federal Trade Commission and their state's Attorney General's office immediately for support and guidance on further actions.
This incident underscores the critical nature of safeguarding personal information and maintaining high standards of security within customer service operations. As BCBSMT emphasizes enhanced security measures at TTEC, the broader implications of this breach spotlight the importance of vigilance and awareness in the realm of cybersecurity. Moving forward, both BCBSMT and TTEC appear committed to taking necessary steps to prevent a recurrence of such incidents, ensuring members feel secure in the handling of their sensitive information.
