The California Department of Justice disclosed a data breach affecting Blue Shield of California on November 8, 2024. The incident stemmed from a data mismatch error, which inadvertently permitted family members on the same insurance plan to access protected health information (PHI) of other plan members. The exposed data included medical visit types and medication details, though no personally identifiable demographic information (e.g., names, addresses, or Social Security numbers) was compromised. The breach impacted an undisclosed number of individuals (UNKN), with no evidence of malicious external intrusion or data theft by third parties. The error was internal, likely tied to system misconfigurations or access controls, and did not involve ransomware, cyberattacks, or broader unauthorized dissemination beyond the affected family members. Blue Shield has not confirmed whether the exposed PHI was exploited for fraud or further misuse, but the incident highlights vulnerabilities in health data segmentation and privacy safeguards within shared insurance plans.
Source: https://oag.ca.gov/ecrime/databreach/reports/sb24-600565
TPRM report: https://www.rankiteo.com/company/blue-shield-of-california
"id": "blu1010091725",
"linkid": "blue-shield-of-california",
"type": "Breach",
"date": "11/2024",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'customers_affected': 'UNKN (unknown number of '
'individuals)',
'industry': 'Healthcare',
'location': 'California, USA',
'name': 'Blue Shield of California',
'type': 'Health Insurance Provider'}],
'data_breach': {'data_exfiltration': 'No (internal unauthorized access only)',
'number_of_records_exposed': 'UNKN (unknown)',
'personally_identifiable_information': 'No (no demographic '
'identifiers exposed)',
'sensitivity_of_data': 'High (health information)',
'type_of_data_compromised': ['Protected Health Information '
'(PHI)',
'Medical records (visit types, '
'medication info)']},
'date_publicly_disclosed': '2024-11-08',
'description': 'The California Department of Justice reported a data breach '
'involving Blue Shield of California on November 8, 2024. The '
'incident involved a data mismatch error that may have allowed '
'family members on the same plan to view protected health '
'information, including medical visit types and medication '
'information. Approximately UNKN individuals were affected, '
'and no demographic information that would identify '
'individuals was disclosed.',
'impact': {'brand_reputation_impact': 'Potential reputational harm due to PHI '
'exposure',
'data_compromised': ['Protected Health Information (PHI)',
'Medical visit types',
'Medication information'],
'identity_theft_risk': 'Low (no demographic identifiers '
'disclosed)'},
'post_incident_analysis': {'root_causes': 'Data mismatch error in system '
'logic allowing intra-family PHI '
'access'},
'references': [{'date_accessed': '2024-11-08',
'source': 'California Department of Justice'}],
'regulatory_compliance': {'regulations_violated': ['Potential HIPAA violation '
'(unauthorized PHI '
'access)'],
'regulatory_notifications': 'Reported to California '
'Department of Justice'},
'response': {'communication_strategy': 'Public disclosure via California '
'Department of Justice'},
'title': 'Blue Shield of California Data Mismatch Error Breach',
'type': 'Data Breach (Unauthorized Access/Disclosure)',
'vulnerability_exploited': 'Data mismatch error in system logic'}