By Annemaria Duran
A recent Blue Cross Blue Shield of North Carolina security breach has impacted roughly 775,000 consumers. This security breach has impacted many Anthem and non-Anthem members. Even members in Missouri were impacted by it. Over 10 years of security data was compromised. This means that even if consumers aren’t current customers of Blue Cross Blue Shield, they still may have been affected.
When cyber hackers broke into Blue Cross Blue Shield’s systems, they stole names, medical history, social security numbers, income information, and birthdates. This information is critical because it provides all the data necessary for identity theft. Unlike financial breaches, which typically compromise a customer’s checking account or credit card number, medical identity theft can be used for a variety of reasons and for an indefinite amount of time.
If a credit card or checking account number is stolen, the account can be monitored, closed, or restricted to prohibit access and further damages by the theft. Medical identity theft can be used to get free healthcare, to sell identities for new credit applications, to fill out applications of any kind, and to complete identity assumption. The damages can extend far into the future and are hard to control because the user’s basic identifying information has been stolen. Although Blue Cross Blue Shield has purchased identity protection for their customers for the next 2 years, the reality is that the information stolen can be held and used far beyond the 2-year window of protection.
There were several things that created a window of opportunity for hackers. As of 2013, Blue Cross Blue Shield of North Carolina was still not encrypting client information before sending it outside the company’s secure production area. Blue Cross stated that it “wasn’t feasible” to do this and that they had “never had a security breach.” If Blue Cross did indeed decide to start encrypting or masking client data, it is obvious that they did a poor job, choosing encryption technology that was lower cost and had lower levels of encryption.
How to Avoid Losing Secure Data
This is one of the reasons why eFileCabinet encrypts data stored in its document management system at 256-bit encryption. That is roughly 10,000 times more secure than data encrypted at 128-bit encryption. Unfortunately, although 128-bit encryption is still considered “safe enough” for the financial and medical industries, it is still able to be compromised. In contrast, 256-bit encryption would take 10 supercomputers roughly 1000 years to decrypt one page of a document at today’s computer capabilities.
Additionally, eFileCabinet encrypts the data both at rest and in transit. This means that the data is encrypted, even when it’s sitting in a database and is out of use. This is very important as hackers will often choose lower-traffic time periods to hack systems, and too often data is left unencrypted while at rest. This leaves back-door access available for unauthorized persons.
Another critical error that Blue Cross Blue Shield made is keeping past customers and members’ data online. If a customer is no longer a current customer, there is no reason not to archive the data. If the data needs to be kept for a number of years, such as to stay HIPAA compliant, then it should be stored in offline storage. This would have protected the thousands of previous members whose data was compromised.
Through eFileCabinet’s automated retention, client files can be automatically retained, archived, and destroyed in a timely manner. This will make immeasurable differences toward keeping your customers’ precious data secure.
Fill out the form on this page to see a 15-minute demo on how eFileCabinet can improve your security and efficiency.