Professor Elizabeth Baker Explains How Blue Cross-Blue Shield E-Mail Error Affects Customers

3.1.2012 Article, Faculty News, Healthcare

Blue Cross error lists 1,000 customers' e-mails
Reposted from Winston-Salem Journal | By Richard Craver

A communication error by a Blue Cross Blue Cross of N.C. employee Wednesday exposed the email addresses of about 1,000 customers to all the recipients.

The email was sent to inform the customers of changes to their billing cycle. Ironically, customers were required to provide a password to access the content of the email.

The email did not include any protected personal or health information, Lew Borman, a spokesman for the insurer, said Thursday. He said the customers were “a limited group of individual policy holders under 65.”

He said Blue Cross took action once the error was recognized, including reaching out to the customers.

“This was a human error,” Borman said. “We are very apologetic about this happening because the privacy of our customers is of utmost concern.”

“We are taking steps to implement additional safeguards, such as how e-mail addresses are entered, to reduce the chances of this occurring in the future.”

Nilla Childs said she was one of the Blue Cross customers whose e-mail address was exposed.

“One thousand other people had the opportunity to spam my inbox that I guard so carefully,” Childs said. “It was a mistake, I understand that. Everyone makes mistakes. I am sure the sender is embarrassed and never intended any harm.

“It is not the end of the world. It is only my email address, not my Social Security number, not my credit-card or bank-account number.

“But Blue Cross does have all that information in my file,” Childs said. “This breach of confidentiality unnerved me and eroded my confidence that my information is safe with them or with other institutions.”

Childs said that the “more powerful the agency, the more sophisticated the technology, the more diligent the need to protect our information.”

“There are no consequences to be paid by the offending agency, except for embarrassment,” Childs said. “The people whose personal information was shared have no means of restoration.

Elizabeth Baker, an assistant professor in Wake Forest Schools of Business, said the error “is a simple mistake that could happen every day.” Baker focuses on information systems security issues.

Baker said Blue Cross can’t be held legally responsible for the error. It is considered as low risk because it did not include specific personal or medical information.

However, Baker said, customers could have been affected in two main ways.

First, information included in the subject line could have disclosed something, or allowed for an inference, about their health status, Baker said.

Scammers could take that information and either send an email looking like it is from Blue Cross to request personal or medical information or spam trying to sell a bogus product or service. Supervisors also may gain insight into an employee’s health status.

Second, scammers could use the email address to track the customers down online. “There are a number of companies that use a person’s email address as their log-in,” Baker said.

Another recent example of a company exposing customers’ information came in October when some Wells Fargo & Co. customers in Florida and South Carolina found strangers’ financial information in their bank statements.

Bank spokesman Josh Dunn said the cause of the mix-up was a malfunctioning printer in Charlotte. The error was unrelated to the 2011 integration of Wachovia Corp., Dunn said.

Dunn did not estimate how many customers were affected but said the bank is giving each of them a year's worth of free identity-theft protection.