Independence Blue Cross in Pennsylvania is notifying an undisclosed number of plan members about a potential compromise of their protected health information after an employee uploaded a file containing personal data to a website that was publicly accessible for three months.
The information was viewable between April 23 and July 20, according to a notice posted on the payer's website. Independence immediately took the information down upon discovery. An investigation into the incident was unable to conclude whether PHI was accessed, but Independence said it was unaware of any actual or attempted misuse of the data.
The information included members' names, dates of birth, diagnosis codes, provider information and other information used for claim processing purposes such as claim numbers, referral numbers and service dates. No Social Security numbers or financial information was compromised.
"We reviewed company policies and procedures and implemented additional technical controls to help prevent future incidents of this kind," the notice states. "We also ensured that the appropriate action was taken with the employee responsible for uploading the subject file."
Independence is offering affected members one free credit report annually from each of the three major credit reporting bureaus.