The California Office of the Attorney General disclosed a data breach affecting Blue Cross Blue Shield Association (BCBSA) in December 2019. The incident stemmed from a programming error in the fepblue mobile app, which inadvertently allowed certain adult members to access summary claims information of other users between September 28, 2019, and October 22, 2019. While the exact number of impacted individuals remains undisclosed, the breach did not expose sensitive data such as Social Security Numbers (SSNs) or financial details. The exposed information was limited to claims summaries, suggesting no direct financial harm or identity theft risk. BCBSA addressed the vulnerability by correcting the error and notifying affected parties, though the incident highlighted gaps in application security and access controls. The breach was classified as unintentional, with no evidence of malicious exploitation by external actors.
Source: https://oag.ca.gov/ecrime/databreach/reports/sb24-185087
TPRM report: https://www.rankiteo.com/company/blue-cross-and-blue-shield-association
"id": "blu721082025",
"linkid": "blue-cross-and-blue-shield-association",
"type": "Breach",
"date": "9/2019",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"{'affected_entities': [{'customers_affected': 'Unknown (Adult Members)',
'industry': 'Healthcare',
'location': 'United States (California)',
'name': 'Blue Cross Blue Shield Association',
'type': 'Health Insurance Provider'}],
'attack_vector': 'Programming Error (Mobile App Vulnerability)',
'data_breach': {'data_exfiltration': 'No (Unauthorized Viewing Only)',
'number_of_records_exposed': 'Unknown',
'personally_identifiable_information': 'None',
'sensitivity_of_data': 'Moderate (No PII/Financial Data)',
'type_of_data_compromised': ['Summary Claims Information']},
'date_detected': '2019-10-22',
'date_publicly_disclosed': '2019-12-12',
'description': 'The California Office of the Attorney General reported a data '
'breach involving the Blue Cross Blue Shield Association on '
'December 12, 2019. The breach occurred on September 28, 2019, '
'due to a programming error that allowed some adult members to '
'view summary claims information on the fepblue mobile app '
'between September 28, 2019, and October 22, 2019. The '
'specific number of individuals affected is unknown, and '
'information such as Social Security Numbers and financial '
'details were not implicated in this incident.',
'impact': {'brand_reputation_impact': 'Potential (Public Disclosure)',
'data_compromised': ['Summary Claims Information'],
'identity_theft_risk': 'Low (No SSN/Financial Data Exposed)',
'payment_information_risk': 'None',
'systems_affected': ['fepblue Mobile App']},
'investigation_status': 'Reported (No Further Details)',
'post_incident_analysis': {'root_causes': ['Programming Error in Mobile App '
'Access Controls']},
'references': [{'date_accessed': '2019-12-12',
'source': 'California Office of the Attorney General'}],
'regulatory_compliance': {'regulations_violated': ['Potential HIPAA (if PHI '
'was exposed)'],
'regulatory_notifications': ['California Office of '
'the Attorney '
'General']},
'response': {'communication_strategy': 'Public Disclosure via California AG '
'Report'},
'title': 'Blue Cross Blue Shield Association Data Breach via fepblue Mobile '
'App',
'type': 'Data Breach (Unauthorized Access)',
'vulnerability_exploited': 'Improper Access Control in fepblue Mobile App'}