Data Breaches at Health Plan Member Portals, Zipari and Central California Alliance for Health

Health plan Independence Blue Cross based in Philadelphia, AmeriHealth HMO, Inc. and AmeriHealth Insurance Company of New Jersey found out that unauthorized people got access to pages of their member portals between March 17, 2020 and April 30, 2020 and likely viewed the personal and protected health information (PHI) of a few members.

The types of information disclosed consist of names, plan type, member identification numbers, spending account balances, claims data, and user reward summaries.

Based on the breach investigation, the hacker used valid credentials to sign in to the portal. In all instances, the passwords utilized to access the member sites were acquired due to the breaches of third-party websites and programs, like the MyFitnessPal breach in 2018. The passwords for those third-party sites were also used on member sites.

The health plans were advised about the breach on May 8, 2020 and promptly took steps to protect the accounts and stop further unauthorized access. All affected members already received notifications and offers of 24-months free credit monitoring and identity theft protection services.

Business Associate Data Breach Affects 49,500 Providence Health Plan Members

A data breach at a business associate of Providence Health Plan based in Oregon impacted 49,511 of its members.

On April 17, 2020, Zipari in Brooklyn informed Providence Health Plan regarding a coding error that enabled the online exposure of documents related to employer-sponsored health plans. Zipari detected the coding error on April 9, 2020. Based on the investigation, unauthorized individuals accessed the documents in May, September, and November 2019. The information contained in the documents were names of member and employer and dates of birth. No other information was exposed.

Because of the breach, Providence Health Plan scheduled a third-party audit of Zipari’s data security policies. Plan members were provided with free credit monitoring services.

Central California Alliance for Health Finds A Number of Email Accounts Breached

Central California Alliance for Health (CCAH) found out on May 7, 2020 that an unauthorized individual obtained access to a number of employees’ email accounts and possibly viewed and acquired the protected health information of a few of its members. Based on the breach notification submitted to the California Attorney General’s office, numerous CCAH email accounts were subjected to unauthorized access for approximately one hour.

An analysis of the compromised email accounts confirmed they included names, demographic data, dates of birth, Medi-Cal ID numbers, claims data, Alliance Care Management Program files, medical data, and referral details.

CCAH implemented a full password reset on all email accounts and provided employees with more training on email security. CCAH is not aware of any wrong use of member’s information.