On August 25, 2021, Blue Cross of California fell victim to a ransomware attack that compromised the sensitive personal and financial information of its members. The breach exposed a wide range of data, including names, dates of birth, gender, email addresses, phone numbers, physical addresses, Medicare ID numbers, provider details, bank account numbers, and—where applicable—Social Security numbers. The incident was formally reported by the California Office of the Attorney General on October 26, 2021. The exposed data poses significant risks, such as identity theft, financial fraud, and unauthorized access to healthcare services. Given the scale and sensitivity of the leaked information, the attack directly undermines customer trust and could lead to long-term reputational damage, regulatory penalties, and potential legal liabilities for the organization.
Source: https://oag.ca.gov/ecrime/databreach/reports/sb24-546858
TPRM report: https://www.rankiteo.com/company/blue-shield-of-california
"id": "blu326082625",
"linkid": "blue-shield-of-california",
"type": "Ransomware",
"date": "8/2021",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': 'healthcare',
'location': 'California, USA',
'name': 'Blue Cross of California',
'type': 'healthcare insurer'}],
'data_breach': {'data_exfiltration': 'likely',
'personally_identifiable_information': True,
'sensitivity_of_data': 'high',
'type_of_data_compromised': ['personally identifiable '
'information (PII)',
'protected health information '
'(PHI)',
'financial information']},
'date_detected': '2021-08-25',
'date_publicly_disclosed': '2021-10-26',
'description': 'The California Office of the Attorney General reported that '
'Blue Cross of California experienced a ransomware attack on '
'August 25, 2021, which affected sensitive information of its '
'members. The types of information potentially accessed '
'include names, dates of birth, gender, email, phone numbers, '
'addresses, Medicare ID numbers, provider information, bank '
'account numbers, and Social Security numbers in certain '
'cases.',
'impact': {'data_compromised': ['names',
'dates of birth',
'gender',
'email addresses',
'phone numbers',
'addresses',
'Medicare ID numbers',
'provider information',
'bank account numbers',
'Social Security numbers (in certain cases)'],
'identity_theft_risk': 'high',
'payment_information_risk': 'high'},
'ransomware': {'data_encryption': 'likely', 'data_exfiltration': 'likely'},
'references': [{'date_accessed': '2021-10-26',
'source': 'California Office of the Attorney General'}],
'regulatory_compliance': {'regulations_violated': ['California Consumer '
'Privacy Act (CCPA)',
'Health Insurance '
'Portability and '
'Accountability Act '
'(HIPAA)'],
'regulatory_notifications': 'California Office of '
'the Attorney General'},
'title': 'Blue Cross of California Ransomware Attack (2021)',
'type': 'ransomware'}