Data Breaches

Breach Subtotal

Breach Type: all
Organization Type: all
Year(s) of Breach: all
Company or Organization:
Date Made Public:
September 13, 2018
Company: Blue Cross & Blue Shield of Rhode Island
Location: , Rhode Island
Type of breach:
DISC
Type of organization:
MED
Records Breached:
1,567

Location of breached information: Paper/Films

Business associate present: Yes

Information Source:
US Department of Health and Human Services
Date Made Public:
December 26, 2017
Company: Blue Cross Blue Shield of Massachusetts
Location: , Massachusetts
Type of breach:
DISC
Type of organization:
MED
Records Breached:
1,843

Location of breached information: Email

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
July 31, 2017
Company: Anthem Blue Cross Blue Shield
Location: Indianapolis, Indiana
Type of breach:
INSD
Type of organization:
MED
Records Breached:
18,000

"Anthem BlueCross BlueShield began notifying customers last week of a breach affecting about 18,000 Medicare members. The breach stemmed from Anthem’s Medicare insurance coordination services vendor LaunchPoint Ventures, based in Indiana.

LaunchPoint discovered on April 12 that an employee was likely stealing and misusing Anthem and non-Anthem data. The employee emailed a file containing information about Anthem’s members to his personal address on July 8, 2016.

The file contained Medicare ID numbers, including Social Security numbers, Health Plan ID numbers, names and dates of enrollment. Officials said limited last names and dates of birth were included."

Information Source:
Media
Date Made Public:
May 5, 2017
Company: Blue Cross and Blue Shield of Kansas City
Location: , Missouri
Type of breach:
DISC
Type of organization:
MED
Records Breached:
725

Location of breached information: Other

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
December 30, 2016
Company: Horizon Healthcare Services Inc. doing business as Horizon Blue Cross Blue Shield of New Jersey and its affiliates
Location: , New Jersey
Type of breach:
DISC
Type of organization:
MED
Records Breached:
55,700

Location of breached information: Paper/Films

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
February 12, 2016
Company: Blue Cross Blue Shield of South Carolina
Location: Columbia, South Carolina
Type of breach:
DISC
Type of organization:
MED
Records Breached:
998

"A business associate (BA), Blue Cross\Blue Shield, of the covered entity (CE), South Carolina Public Employee Benefit Authority, incorrectly mailed pre-authorization dental letters to the CE's members due to a computer error.  Duing the mailing sorting process, the names of the envelopes were not matched to the correct addresses.  The breach affected 998 individuals and included financial, demographic, and clinical information.  The BA provided breach notification to HHS, affected individuals, and the media.  Following the breach, the BA revised its procedures for ensuring data integrity and accuracy and enhanced procedures to include a quality control validation step.  The BA trained systems support staff and confirmed that it requires all of its employees, contractors and consultants employed or retained for longer than 45 days to receive HIPAA training.  OCR obtained assurances that the BA implemented the corrective actions listed above."

More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...

Information Source:
California Attorney General
Date Made Public:
December 4, 2015
Company: Blue Cross Blue Shield of Nebraska
Location: Omaha, Nebraska
Type of breach:
DISC
Type of organization:
BSF
Records Breached:
1,872

Blue Cross Blue Shield of Nebraska notified patients of a data breach when personal information was inadvertently disclosed on dental form claims.

"The company said a printing error caused some dental explanation of benefits forms to be sent to the wrong customers. The forms reveal treatment and services that the insurer paid on a customer’s behalf.

The company said an internal review found that 1,872 dental plan customers received mail statements that included another customer’s name, member identification number and dental claim information. The forms did not disclose birth dates, Social Security numbers, or financial or employment information."

More information: http://www.omaha.com/money/blue-cross-blue-shield-says-it-disclosed-cust...

Information Source:
Media
Date Made Public:
September 25, 2015
Company: Blue Cross Blue Shield of North Carolina (BCBSNC)
Location: Durham, North Carolina
Type of breach:
DISC
Type of organization:
BSF
Records Breached:
0

Blue Cross BlueShield of North Carolina notifed customers of a data breach when they discovered two incidences that may have exposed personal information.

The first incident occurred when a printing error resulted in members' billing invoice information printed on the back of other members' invoices. The information exposed here included names, addresses, internal BCBSNC account numbers, group numbers, coverage dates and premium amounts.

The second incident occurred when payment letters included incorrect information and sent to the wrong members. This information included they type of health plan purchased, effective dates, health insurance marketplace identification numbers, payment amounts, telephone numbers and payment identification numbers.

More information: http://www.bcbsnc.com/content/corporate/privacy-breach-20150925.htm

http://healthitsecurity.com/news/theft-printing-error-lead-to-health-dat...

Information Source:
Health IT Security
Date Made Public:
September 25, 2015
Company: Horizon Blue Cross Blue Shield
Location: Newark, New Jersey
Type of breach:
DISC
Type of organization:
GOV
Records Breached:
1,100

Horizon Blue Cross Blue Shield of New Jersey notified customers of a data breach when several individuals pretended to be doctors or a health care professionals and obtained member identification numbers, and other personal information.

These individuals then submitted claims to Horizon Blue Cross Blue Shield with these member ID numbers. During the investigation it was confirmed that names, dates of birth, gender and member ID numbers were accessed. The company is claiming that no Social Security numbrs or financial information or medical information was accessed.

More Information: http://www.nj.com/news/index.ssf/2015/09/nj_insurer_says_some_data_stole...

Information Source:
Media
Date Made Public:
September 11, 2015
Company: Blue Cross Blue Shield of North Carolina
Location: , North Carolina
Type of breach:
DISC
Type of organization:
MED
Records Breached:
1,530

The covered entity (CE), Blue Cross Blue Shield of North Carolina, discovered on August 14, 2015, that its business associate (BA), EDM Americas, had accidently sent invoices to members that contained information for other members, affecting 1,530 individuals. The types of protected health Information (PHI) in the invoice included member names, addresses, internal account numbers, group numbers, coverage dates, and premium amounts due. The CE provided breach notification to HHS, on its website and to the media. The BA sent individual notification on behalf of the CE. In response to the breach, the BA retrained its staff and revised its internal validation and quality control procedures. OCR obtained assurances that the CE implemented the corrective actions listed above.

Location of breached information: Paper/Films

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
September 10, 2015
Company: Excellus Blue Cross Blue Shield
Location: Syracuse, New York
Type of breach:
HACK
Type of organization:
BSF
Records Breached:
10,000,000

Excellus has revealed that in August the company discovered a breach to their system that may have started two years prior by hackers, gaining access to its customers' information.

The information accessed included names, birth dates, Social Security numbers, mailing addresses, telephone numbers, claims and financial payment information, which included some credit card numbers.

"Excellus spokesperson Cane confirmed in a phone call with WIRED that between 10 and 10.5 million customers had their data potentially accessed in the breach. Beyond just Excellus itself, the company says that even some of its insurance partners within the Blue Cross Blue Shield network may be affected, accounting for about 3.5 million of those victims. Everyone affected will receive a letter from Excellus, along with two years of free credit monitoring from the company."

More information: http://www.wired.com/2015/09/hack-brief-health-insurance-firm-excellus-s...

UPDATE (9/21/2015): A class-action lawsuit has now been filed against Excellus as a result of the data breach the company suffered exposing 10.5 million individuals to potential identity theft.

More Information: http://www.databreachtoday.com/excellus-faces-breach-related-lawsuit-a-8539

Information Source:
Media
Date Made Public:
July 14, 2015
Company: Arkansas Blue Cross and Blue Shield
Location: , Arkansas
Type of breach:
PHYS
Type of organization:
MED
Records Breached:
560

On June 16, 2015, two unencrypted desktop computers containing the protected health information (PHI) of approximately 560 individuals were stolen from the business associate (BA), Treat Insurance Agency, at its North Little Rock offices. The BA is an insurance broker that solicits and submits applications for health insurance coverage to the covered entity (CE), Arkansas Blue Cross and Blue Shield. The types of PHI involved in the breach included demographic, clinical and financial information. The CE provided breach notification to HHS, affected individuals, and the media. OCR reviewed the BA agreement in place between the CE and the BA and determined that the BA agreement was compliant with 45 C.F.R. §§ 164.314 and 164.504.

Location of breached information: Desktop Computer

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
March 17, 2015
Company: Blue Cross Blue Shield of Michigan
Location: , Michigan
Type of breach:
PHYS
Type of organization:
MED
Records Breached:
3,903

OCR opened an investigation of the covered entity (CE), Blue Cross Blue Shield of Michigan, after it reported that the protected health information (PHI) of 3,903 of its patients had been stolen for the purposes of identity fraud. The types of PHI disclosed included names, ages, genders, dates of birth, contract numbers, group names and numbers, and social security numbers. The CE provided breach notification to HHS, the media and affected individuals. Following the breach, the CE improved safeguards by masking social security numbers, removing members’ dates of birth, limiting search results to 25 records, and installing new printing devices that require employees to scan their coded badges when printing. OCR obtained assurances that the CE implemented the corrective actions listed above.

Location of breached information: Paper/Films

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
December 26, 2014
Company: Independence Blue Cross and AmeriHealth New Jersey
Location: , Pennsylvania
Type of breach:
PHYS
Type of organization:
MED
Records Breached:
12,450

Members of the covered entity’s (CE) maintenance team improperly disposed of four boxes of paper records containing the protected health information (PHI) of approximately 12,450 individuals in error during the course of an office move within the building. The trash was collected by the CE’s trash removal vendor the next day and transported to a recycling plant. The PHI involved in the breach included names, addresses, identification numbers (including social security numbers), home phone numbers, physician information, health care plans, and group numbers. The CE was not able to determine whether or not someone at the recycling center may have acquired or viewed the PHI. The CE, Independence Blue Cross, provided breach notification to HHS, the media, and affected individuals. The CE offered all members who had their member identification number compromised one year of free credit monitoring. As a result of OCR’s investigation, the CE revised its policies and procedures for trash disposal, as well as maintenance and disposal of provider reports. The CE also sent a reminder to all associates regarding its policies and procedures for proper handling of paper documents and proper disposal of trash and documents containing PHI. Furthermore, the CE sanctioned the employees responsible for the incident. The CE initiated plans to provide additional staff training on its HIPAA policies and procedures for trash disposal.

Location of breached information: Paper/Films

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
May 19, 2014
Company: Blue Cross Blue Shield of Michigan Blue Care Network
Location: , Michigan
Type of breach:
DISC
Type of organization:
MED
Records Breached:
502

\N

Location of breached information: Email

Business associate present: Yes

Information Source:
US Department of Health and Human Services
Date Made Public:
April 11, 2014
Company: BLUE CROSS AND BLUE SHIELD OF KANSAS CITY
Location: , Missouri
Type of breach:
DISC
Type of organization:
MED
Records Breached:
2,546

In February 2014, two members of the covered entity (CE), Blue Cross Blue Shield of Kansas City Plan, reported unauthorized charges on credit cards they used to make payments by phone to the CE. The CE determined that an employee violated its policies and procedures and may have put the financial information of 2,546 individuals at risk. The breach affected members that spoke with this employee regarding payment of premiums. The CE provided breach notification to HHS, affected individuals, and the media, and reported the matter to the FBI and local law enforcement. The CE reported that its background check contractor, Verifications Inc. (VI) provided an inaccurate criminal background check, which resulted in the hiring of the involved employee although the employee had been convicted of felony identity theft in April 2012. To prevent similar breaches from happening in the future, the CE terminated its contract with VI and established a relationship with a new background check vendor. The CE provided training to its workforce on its policies and procedures regarding HIPAA Security. OCR obtained documented evidence demonstrating that the CE implemented the corrective action listed above. The CE also ended the involved employee’s employment.

Location of breached information: Other

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
April 11, 2014
Company: Blue Cross and Blue Shield of Kansas City, Inc.
Location: , Maryland
Type of breach:
INSD
Type of organization:
MED
Records Breached:
0

name, credit card info, bank account info

Location of breached information: Desktop Computer

Business associate present: No

Information Source:
Maryland Attorney General
Date Made Public:
January 3, 2014
Company: Horizon Healthcare Services, Inc., doing business as Horizon Blue Cross Blue Shield of New Jersey, and its affiliates
Location: , New Jersey
Type of breach:
PHYS
Type of organization:
MED
Records Breached:
839,711

\N

Location of breached information: Laptop

Business associate present: Yes

Information Source:
US Department of Health and Human Services
Date Made Public:
December 6, 2013
Company: Horizon Healthcare Services, Inc. (Horizon Blue Cross Blue Shield)
Location: Newark, New Jersey
Type of breach:
PORT
Type of organization:
BSF
Records Breached:
840,000

Sometime between November 1 and 3, two unencrypted laptops were stolen from employee workstations.  The laptops were password-protected and cable-locked to the workstations. Names, Social Security numbers, addresses, dates of birth, Horizon Blue Cross Blue Shield New Jersey identification numbers, and demographic information may have been exposed. Almost 840,000 Horizon Blue Cross Blue Shield members were affected.

UPDATE (04/06/2015): A class action lawsuit was filed against Ble Cross Blue Shield of New Jersey of more than 830,000 members arguing that they were at risk of identity theft due to the data breach when stolen lap tops were discovered that contained personal information, including Social Security numbers. The judge in the case dismissed the class action lawsuit claiming that since there was no evidence that the information on the lap tops was used to create harm,  the judge clained there was no standing.

More Information: http://www.nj.com/news/index.ssf/2015/04/judge_tosses_data-breach_suit_a...

She also "dismissed a claim of economic injury brought by three of the plaintiffs who argued that their premiums should have provided for the security of their personal information. Citing precendent, Cecchi dismissed that claim as well, writing that the plaintiffs failed to demonstrate actual economic harm as a result of the breach."

UPDATE (03/1/2017): "New Jersey Attorney General Christopher S. Porrino announced Feb.17 that Horizon Healthcare Services, Inc., the state's largest health care provider, will pay $1.1 million and improe data security practices after allegations of failing to properly protect the privacy of close to 690,000 New Jersey policyholders."

More Information: http://legalnewsline.com/stories/511085361-horizon-healthcare-services-s...

 

 

Information Source:
California Attorney General
Date Made Public:
November 7, 2013
Company: Blue Cross and Blue Shield of North Carolina
Location: , North Carolina
Type of breach:
DISC
Type of organization:
MED
Records Breached:
687

On October 14, 2013, the covered entity (CE), Blue Cross Blue Shield of North Carolina, impermissibly disclosed the protected health information (PHI) of 687 individuals when an employee inadvertently mailed notices regarding policy changes to incorrect addresses. The PHI involved in the breach included names. The CE provided breach notification to HHS and affected individuals. Following the breach the CE sanctioned the responsible workforce member. As a result of OCR’s investigation, the CE provided media notice and established a toll-free number for affected individuals. Additionally, the CE improved safeguards by retraining employees and initiating a regular review of mailing procedures.

Location of breached information: Paper/Films

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
April 9, 2013
Company: Connextions, Anthem Blue Cross Blue Shield of Indiana, Anthem Blue Cross Blue Shield of Ohio, Empire Blue Cross Blue Shield of Indiana
Location: Orlando, Florida
Type of breach:
INSD
Type of organization:
MED
Records Breached:
6,000

A Connextions employee used Social Security numbers from a number of other organizations for criminal activity.  At least four members of Anthem Blue Cross and Blue Shield were affected by the criminal activity.  The breach was reported on HHS as affecting 4,814 patients, but more were affected.

Information Source:
HHS via PHIPrivacy.net
Date Made Public:
November 29, 2012
Company: Blue Cross Blue Shield
Location: , Illinois
Type of breach:
DISC
Type of organization:
MED
Records Breached:
500

\N

Location of breached information: Network Server

Business associate present: Yes

Information Source:
US Department of Health and Human Services
Date Made Public:
September 19, 2012
Company: Blue Cross Blue Shield of Massachusetts (BCBS)
Location: Boston, Massachusetts
Type of breach:
INSD
Type of organization:
MED
Records Breached:
15,000

A BCBS vendor misused BCBS employee information.  The misuse appears to have been limited to one instance.  Names, Social Security numbers, dates of birth, compensation information, and bank account information may have been exposed.

Information Source:
Media
Date Made Public:
March 2, 2012
Company: Blue Cross Blue Shield (BCBS) of North Carolina
Location: Durham, North Carolina
Type of breach:
DISC
Type of organization:
MED
Records Breached:
1,000

An employee of BCBS North Carolina accidentally sent an email that revealed the email addresses of all customers who received the email.  Customers received the email as notification of changes to their billing cycle on Wednesday, February 29.  The employee error meant that anyone who received the email could then send unwanted messages referencing BCBS or unrelated content to other customers who received the email.

Information Source:
Media
Date Made Public:
September 30, 2011
Company: First Priority Life Insurance Company, Blue Cross of Northeastern Pennsylvania, Penn Foster
Location: Scranton, Pennsylvania
Type of breach:
PHYS
Type of organization:
MED
Records Breached:
500

Around 500 employees were affected by the home theft of a laptop and sensitive papers.  A Blue Cross business associate took home reports that contained names, Social Security numbers, and addresses of First Priority policyholders.  The reports and laptop were stolen while the home was vacated due to flooding.  The laptop was recovered a few days later.

Information Source:
PHIPrivacy.net
Date Made Public:
June 30, 2011
Company: Blue Cross and Blue Shield of Florida (BCBSF)
Location: Jacksonville, Florida
Type of breach:
DISC
Type of organization:
MED
Records Breached:
3,500

An April 2011 mailing error caused 3,500 member healthcare statements to be mailed to incorrect addresses.  The statements were mailed to the former addresses of members and contained names, insurance numbers, diagnoses codes and descriptions, procedure codes and descriptions, prescription names and provider names.

Information Source:
PHIPrivacy.net
Date Made Public:
June 17, 2011
Company: Blue Cross and Blue Shield of Florida
Location: , Florida
Type of breach:
DISC
Type of organization:
MED
Records Breached:
3,463

\N

Location of breached information: Other

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
March 3, 2011
Company: Blue Cross and Blue Shield of Florida
Location: , Florida
Type of breach:
UNKN
Type of organization:
MED
Records Breached:
7,366

\N

Location of breached information: Other

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
January 14, 2011
Company: Blue Cross Blue Shield of Michigan (BCBSM), Tstream Software
Location: Harper Woods, Michigan
Type of breach:
DISC
Type of organization:
MED
Records Breached:
2,979

A BCBSM website created by Tstream was the source of a breach.  A BCBSM found her personal information online when searching her name.  People applying for individual health insurance between 2006 and an unclear date had their names, Social Security numbers, addresses and dates of birth exposed. BCBSM was notified of the error on November 17, 2010.  The information was accessible for an unspecified amount of time. Though 6,500 BCBSM members were notified, only 2,979 were affected.

Information Source:
PHIPrivacy.net
Date Made Public:
August 5, 2010
Company: Blue Cross Blue Shield of Alabama
Location: Birmingham, Alabama
Type of breach:
INSD
Type of organization:
MED
Records Breached:
15

A dishonest employee was charged with identity theft. The employee fraudulently obtained credit by using the health insurance information of at least 15 clients.

Information Source:
PHIPrivacy.net
Date Made Public:
July 14, 2010
Company: Blue Cross Blue Shield Association
Location: Chicago, Illinois
Type of breach:
PHYS
Type of organization:
MED
Records Breached:
15,000

An error in the quarterly address update process resulted in the mailing of approximately 15,000 individuals' protected health information to incorrect addresses. The information in the letters included demographic information, explanation of benefits, clinical information, and diagnoses. The returned mail was collected and the organization verified whether or not it had been delivered.

Information Source:
PHIPrivacy.net
Date Made Public:
April 21, 2010
Company: Blue Cross & Blue Shield of Rhode Island
Location: , Rhode Island
Type of breach:
PHYS
Type of organization:
MED
Records Breached:
12,000

A covered entity (CE) donated a file cabinet containing the protected health information (PHI) of 12,000 individuals before cleaning it out. The PHI included members' names, addresses, telephone numbers, social security numbers, and Medicare identification numbers. The covered entity (CE) provided breach notification to HHS, the affected individuals, and media, and offered all affected individuals free credit monitoring for a period of one year. Following the breach, the CE sanctioned the employees involved in the incident and held a mandatory training regarding the HIPAA Privacy and Security Rule for all departments involved in the breach. The CE also revised the policy for office moves. OCR obtained assurances that the CE implemented the corrective action listed above.
\
\

Location of breached information: Paper/Films

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
April 16, 2010
Company: Blue Cross and Blue Shield of Rhode Island (BCBSRI)
Location: Providence, Rhode Island
Type of breach:
PHYS
Type of organization:
MED
Records Breached:
12,000

A filing cabinet containing survey information from approximately 12,000 BlueCHIP for Medicare members was donated to a local nonprofit organization.  The surveys were from 2001 to early 2004 and contained information such as names, Social Security numbers, telephone numbers, addresses and Medicare Identification numbers.

Information Source:
Databreaches.net
Date Made Public:
February 16, 2010
Company: Blue Cross Blue Shield of RI
Location: , Rhode Island
Type of breach:
UNKN
Type of organization:
MED
Records Breached:
528

On January 5, 2010, BCBSRI was notified that a 16 page report pertaining to Brown University's health plan was impermissibly disclosed to two other BCBSRI agents. The reports contained the PHI of approximately 528 individuals. The PHI involved: first and last names, dates of service, cost of medical care provided, and member identification numbers. Following the breach, BCBSRI recovered the reports, received written assurances that any electronic copies of the reports were deleted, notified affected individuals of the breach, implemented new procedure for all outgoing correspondence, and is in the process of auditing all affected members' claim history to ensure no fraud.
\

Location of breached information: Paper/Films

Business associate present: Yes

Information Source:
US Department of Health and Human Services
Date Made Public:
February 10, 2010
Company: WellPoint, Anthem/Blue Cross and Blue Shield
Location: Chicago, Illinois
Type of breach:
INSD
Type of organization:
MED
Records Breached:
40

A former employee accessed health care professionals' Social Security numbers, names, dates of birth, and home addresses. Between 2007 and 2010, the employee created fictitious identities and created e-mail addresses, opened bank accounts and credit card accounts.

UPDATE (05/10/2010): The former employee was sentenced to 28 months in prison followed by three years of supervised release.  She was also ordered to pay $2,914.95 in restitution.  She pleaded guilty to one count of mail fraud and once count of aggravated identity theft on February 9.  Around 40 health care professionals such as doctors, psychologists, nurses, and dietitians were victims of fraudulent financial activity.

Information Source:
Databreaches.net
Date Made Public:
September 30, 2008
Company: Blue Cross & Blue Shield
Location: Baton Rouge, Louisiana
Type of breach:
DISC
Type of organization:
MED
Records Breached:
1,700

A document containing the personal data was accidentally attached to a general e-mail being sent out to brokers notifying them of a software upgrade. Information such as Social Security numbers, phone numbers and addresses were exposed.

Information Source:
Dataloss DB
Date Made Public:
July 29, 2008
Company: Blue Cross and Blue Shield of Georgia
Location: Atlanta, Georgia
Type of breach:
DISC
Type of organization:
MED
Records Breached:
202,000

Benefit letters containing personal and health information were sent to the wrong addresses last week. The letters included the patient's name and ID number, the name of the medical provider delivering the service, and the amounts charged and owed. A small percentage of letters also contained the patient's Social Security numbers.

Information Source:
Dataloss DB
Date Made Public:
January 29, 2008
Company: Horizon Blue Cross Blue Shield
Location: Newark, New Jersey
Type of breach:
PORT
Type of organization:
MED
Records Breached:
300,000

More than 300,000 members names, Social Security numbers and other personal information were contained on a laptop computer that was stolen. The laptop was being taken home by an employee who regularly works with member data.

Information Source:
Dataloss DB
Date Made Public:
August 7, 2007
Company: Blue Cross Blue Shield North Carolina
Location: Durham, North Carolina
Type of breach:
DISC
Type of organization:
BSF
Records Breached:
2,940

Letters were accidentally mailed with subscriber Social Security numbers visible through envelope windows.

Information Source:
Dataloss DB
Date Made Public:
March 14, 2007
Company: WellPoint's Empire Blue Cross and Blue Shield unit in NY
Location: Indianapolis, Indiana
Type of breach:
PORT
Type of organization:
MED
Records Breached:
75,000

An unencrypted disc containing patient's names, Social Security numbers, health plan identification numbers and description of medical services back to 2003 was lost en route to a subcontractor.

UPDATE (3/14/07): The subcontrator reported that the CD that was reported missing on Feb. 9 has been found.

Information Source:
Dataloss DB
CSV