Data breach impacts more than 400,000 in Puerto Rico

Contributed by Roumiana Deltcheva (Tuesday, November 30, 2010) | Category : Email security

Triple-S Management, the Blue Cross Blue Shield insurance licensing representative in Puerto Rico, recently suffered a massive data breach, which leaked the information of more than 400,000 of its customers. According to Health Data Management, the breach came when a competing company's employees accessed a database containing the information.

Multiple instances of unauthorized access occurred between September 9 and 15, according to Health Data Management. The undisclosed company illegally downloaded the information of Triple-S' customers into their own systems. Initial reports found these attacks stole information of approximately 398,000 customers, but further investigation found a series of smaller breaches compromised the information of more than 8,000 additional customers. Health Data Management reported these instances took place between October 2008 and 2010.

The competitor's employees used at least one user ID and password to access the database.

"We cannot at this time determine the purpose of these breaches and do not know the extent of any fraudulent use of the information or its impact on the potentially affected individuals and IPAs," Joseph Goedert of Triple-S Management said in a statement, according to the news provider. "We believe, however, that the most likely target was financial information related to [insurance planning associates] rather than the individuals' information. During the course of our investigation we learned that there may have been improper uses of the IPA passwords by one or more consultants working for the IPAs."

Regulations implemented by the U.S. federal government in recent months mandate that health information be stored and managed electronically. However, the move requires organizations to improve their data-leak prevention to avoid cases similar to Triple-S' current problem. Failing to do so can result in massive fines and other sanctions that can impact an insurance provider's ability to serve its customers. Furthermore, customers may lose confidence in the company if the breach results in issues related to identity theft or other exploitation of the data.

According to Goedert, a $100,000 fine has been handed to Triple-S Management, however, the company will appeal the sanction due to the inappropriate activity of its competitor.