Blue Shield of California customer data stolen in cyberattack

An unknown number of Blue Shield of California members may have had their personal data, including Social Security numbers, birth dates and treatment information, stolen during a cybersecurity breach this spring.

The healthcare insurance provider said the attack targeted the files of one of its contracted vendors, which manages vision benefits for many of Blue Shield’s customers.

“The vendor immediately took the server offline, launched an investigation into the incident, engaged a cybersecurity firm and reported the matter to the FBI,” Blue Shield said in announcing the breach last month. “It was determined that the unauthorized third party exfiltrated information from the server on May 28, 2023, and May 31, 2023.”

Oakland-based Blue Shield said it was notified of the breach on Sept. 1 after the vendor discovered a week earlier that an unknown vulnerability in its system had been exploited.

Blue Shield added that there was “no evidence” that its own systems and emails were affected or vulnerable to the attack.

“It was critical for us to take the time to accurately identify potentially impacted individuals and their affected data,” a Blue Shield spokesperson said in an email late Friday. “Once that process was completed, we were able to send breach notification letters in mid-November to all members who were potentially impacted.”

The spokesperson did not answer a question about how many of Blue Shield’s 4.5 million health plan members may have been affected.

The company said it is providing affected members with no-cost credit monitoring with identity restoration services, and has established a dedicated call center to answer questions. It advised members to review their credit reports and account statements and to notify law enforcement of suspicious activity.