Cyber Incident Victim: Blue Shield of California

In December 2015, Blue Shield of California was notified by an unnamed vendor that unauthorized access to customer data had occurred between September and December of that year. The breach exposed personal information of nearly 21,000 Individual and Family Plan members who enrolled in coverage between October 2013 and December 2015. Compromised data included names, addresses, dates of birth, and Social Security numbers. Blue Shield confirmed that no internal data systems were impacted, as the breach exclusively affected the vendor's systems. The unauthorized access resulted from the misuse of login credentials belonging to certain Blue Shield customer service representatives. While the company's notification letter implied credential compromise, media reports citing Blue Shield suggested call center employees may have fallen victim to a scam, though no specific details about the scam mechanism were provided.

Blue Shield initiated an investigation upon vendor notification and determined the scope of impacted members by mid-January 2016. Affected individuals received notification letters explaining the breach timeline and exposed data types. The company offered one year of complimentary Experian ProtectMyID credit monitoring services and provided guidance on self-protection measures. Neither Blue Shield nor the media reports identified the involved vendor or specified whether law enforcement was engaged. As of January 14, 2016, the incident had not yet appeared in HHS’s public breach database. The breach remained confined to the vendor’s infrastructure, with no secondary compromise of Blue Shield’s internal networks or systems reported.