An unknown number of Blue Shield of California members may have had their personal data, including Social Security numbers, birth dates and treatment information, stolen during a cybersecurity breach this spring.
The healthcare insurance provider said the attack targeted the files of one of its contracted vendors, which manages vision benefits for many of Blue Shield’s customers.
“The vendor immediately took the server offline, launched an investigation into the incident, engaged a cybersecurity firm and reported the matter to the FBI,” Blue Shield said in announcing the breach last month. “It was determined that the unauthorized third party exfiltrated information from the server on May 28, 2023, and May 31, 2023.”
Oakland-based Blue Shield said it was notified of the breach on Sept. 1 after the vendor discovered a week earlier that an unknown vulnerability in its system had been exploited.
Blue Shield added that there was “no evidence” that its own systems and emails were affected or vulnerable to the attack.
The company said it is providing affected members with no-cost credit monitoring with identity restoration services, and has established a dedicated call center to answer questions. It advised members to review their credit reports and account statements and to notify law enforcement of suspicious activity.
Blue Shield did not disclose how many of its 4.5 million health plan members may have been affected and did not return a call and email for comment Friday.