Blue Cross of Idaho Hacked, Some Member Information Accessed

BOISE, Idaho (AP) — One of Idaho's largest insurance companies said Friday that someone hacked its website and obtained access to the personal information of about 5,600 customers, including their names, claim payment information and codes indicating medical procedures they may have undergone.

Blue Cross of Idaho Executive Vice President Paul Zurlo said in a statement that all affected members were notified and were offered three years of complementary credit monitoring and identity protection services. The company has about 560,000 health insurance customers.

Blue Cross of Idaho said the information did not include Social Security numbers, driver's license numbers, banking or credit card numbers or information about medical diagnoses.

"We take consumers' privacy very seriously, and we are committed to keeping our members' data secure," Zurlo said.

The breach that has been reported to the FBI happened March 21, when an unauthorized user accessed the provider section of the Blue Cross of Idaho website, with the intent of fraudulently rerouting a provider financial transaction, the statement said.

Blue Cross of Idaho stopped the attempted fraud that day and secured the portal, and determined the next day that the hacker accessed provider remittance documents with the private health information of some customers.

Those documents included member names, member subscriber numbers, the dates the member received health care services, their health care provider's names and medical procedures codes, along with some other information about their medical claims.

"We have not identified any unauthorized use of personal data and will keep close watch for illegitimate activity," Zurlo said.

The company is asking members to review their health benefits statements and contact Blue Cross if services are listed that they did not receive.

The company hired cybersecurity experts to review the incident and is cooperating with the FBI, Zurlo said. It's also reviewing its financial accounts and its provider portal to ensure only legitimate financial transactions occur.