Cyber Incident Victim: US Wellness
Date:
Jan 2023
Location:
United States of America
Summary
US Wellness experienced a vendor-related data security incident that potentially compromised personal and protected health information of certain Blue Cross Blue Shield members, including names, addresses, dates of birth, member IDs, service origin details, and service location addresses. The organization secured affected systems, initiated an investigation, and confirmed no evidence of data misuse. Notifications were sent to impacted individuals with protective guidance, alongside establishing a dedicated call center for assistance. Security measures were subsequently enhanced to mitigate similar risks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On January 31, 2023, US Wellness’ vendor experienced a security incident that disrupted access to certain systems within the organization’s infrastructure. US Wellness responded by immediately securing affected systems and initiating an investigation to determine the nature and scope of the disruption. The investigation revealed that unauthorized access to vendor systems had occurred, though the specific methods or actors involved were not publicly disclosed. By February 9, 2023, US Wellness confirmed that the incident potentially impacted personal and/or protected health information belonging to certain Blue Cross Blue Shield of Arizona (BCBSAZ) members. The compromised data fields included names, addresses, dates of birth, member ID numbers, service origin details, and service location addresses. No evidence suggested misuse of the exposed information at any stage of the investigation. The incident did not affect all BCBSAZ members, only a subset whose data was processed through the vendor’s compromised systems.
US Wellness formally notified potentially affected individuals via mailed letters on March 22, 2023, approximately seven weeks after discovering the data exposure. The notifications outlined the incident’s circumstances, specified the types of data involved, and provided guidance on protective measures individuals could undertake independently. A dedicated toll-free call center (1-800-773-1925) was established to address inquiries, operating during extended hours across weekdays and weekends, with callers instructed to reference engagement number B087457. Internally, US Wellness implemented enhanced security protocols across its environment to reduce the likelihood of recurrence, though technical specifics of these measures were not detailed publicly. The organization emphasized its commitment to data protection and expressed regret for any inconvenience caused, while maintaining that no operational disruptions to BCBSAZ services occurred beyond the initial system access issues. The incident remained confined to the vendor’s systems and did not escalate to broader network compromise or additional data categories beyond those identified in the investigation.