Health Care Service Corporation

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

Health Care Service Corporation (HCSC), a licensee of Blue Cross Blue Shield based in Chicago, Illinois, experienced a significant data breach that was first identified around June 21, 2023. The cyberattack allowed unauthorized access to sensitive member information, including names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, claim numbers, bank account numbers, and medical service information. This breach affected 192,231 members[1][4].

Following the discovery of the breach, HCSC sent notification letters to the affected individuals on August 21, 2023[1][4]. A class-action lawsuit was subsequently filed against HCSC in the Circuit Court of Cook County, Illinois, on behalf of the affected individuals. The lawsuit alleges that HCSC failed to implement adequate security measures to protect personal health information (PHI) and personally identifiable information (PII), which could have prevented the breach. The plaintiff in the case reported not being notified until August 24, 2023, and claimed to have suffered from identity theft and fraud risks, as well as emotional distress upon learning that her personal data had been uploaded to a dark web site[1].

The lawsuit seeks class-action status, a jury trial, and damages, as well as an order for HCSC to implement improved security measures such as data encryption and regular security checks[1].

In a separate but related incident, Blue Cross and Blue Shield of Illinois, which is part of HCSC, reported a data breach through a third-party administration service provider called TMG Health. The breach at TMG Health occurred on the same date, June 21, 2023, and exposed similar types of personal and health-related information[3].

Additionally, HCSC has faced regulatory action from the Illinois Department of Insurance (IDOI), which fined the company $231,900 for failing to properly update provider directories as required by the Network Adequacy and Transparency Act (NATA)[6]. This fine was part of a series of regulatory actions taken by the IDOI to protect Illinois health insurance consumers.

The HCSC data breach is a significant event given the volume of sensitive information compromised and the legal and regulatory repercussions that have followed. Affected individuals have been advised to monitor their credit and financial accounts closely and to consider credit monitoring services or placing a freeze on their credit to prevent potential identity theft and fraud[3].

Citations:

  1. https://www.hipaajournal.com/health-care-service-corporation-facing-class-action-data-breach-lawsuit/
  2. https://finance.yahoo.com/news/emailing-error-causes-former-blue-214158997.html
  3. https://www.idstrong.com/sentinel/blue-cross-of-illinois-suffers-data-breach/
  4. https://www.jdsupra.com/legalnews/health-care-service-corporation-files-8586946/
  5. https://law.justia.com/cases/illinois/court-of-appeals-first-appellate-district/2023/1-23-0547-0.html
  6. https://www.illinois.gov/news/press-release.27241.html
  7. https://www.securityweek.com/500000-impacted-email-breach-illinois-healthcare-firm/
  8. https://www.doj.nh.gov/consumer/security-breaches/documents/health-care-services-20150327.pdf
  9. https://thehill.com/policy/healthcare/3843207-emailing-error-causes-former-blue-cross-blue-shield-customers-to-receive-claims/
  10. https://www.classaction.org/news/health-care-service-corporation-facing-class-action-over-2023-data-breach-affecting-192k-individuals
  11. https://www.wcia.com/news/target3/blue-cross-blue-shield-fined-for-lack-of-network-adequacy/
  12. https://www.bcbsil.com/company-info/stay-informed/alerts-announcements/9-5-23-tmg-data-incident.html
  13. https://www.infosecurity-magazine.com/news/data-breach-at-illinois-healthcare/
  14. https://www.myinjuryattorney.com/health-care-service-corporation-data-breach-investigation/
  15. https://ilcourtsaudio.blob.core.windows.net/antilles-resources/resources/b263558a-17f3-4940-b74b-1274adfc94a4/Health%20Care%20Services%20Corp.%20v.%20Walgreen%20Company,%202023%20IL%20App%20(1st)%20230020-U.pdf
Breach Submission Date Aug 21, 2023
Converted Entity Name Health Care Service Corporation
Converted Entity Type Health Plan
State IL
Individuals Affected 220,913
Breach Type Hacking/IT Incident

Breach Information Location Network Server

Business Associate Present Yes