OAKLAND, Calif. (November 17, 2023) – On September 1, 2023, Blue Shield of California (“Blue Shield”) received notification from a contracted vendor that it was the recent victim of the MOVEit secure file-transfer tool global data security incident. The vendor impacted by this incident manages vision benefits for many of our Blue Shield members. Additionally, they receive information related to member eligibility, authorized third parties, and vision claims processing.
Blue Shield members impacted by the MOVEit file transfer tool security breach are being provided with no-cost credit monitoring with identity restoration services. Blue Shield takes this situation very seriously and is committed to protecting the privacy of members.
On August 23, 2023, Blue Shield’s vendor discovered that an unauthorized third party had accessed information on its MOVEit server by exploiting an unknown vulnerability in MOVEit’s system. The vendor immediately took the server offline, launched an investigation into the incident, engaged a cybersecurity firm and reported the matter to the FBI. It was determined that the unauthorized third party exfiltrated information from the server on May 28, 2023, and May 31, 2023. The vendor has rebuilt the MOVEit system in accordance with gold standard build requirements. Before reactivating the system, the vendor undertook a number of technical measures to validate security controls put in place.
Following a detailed analysis and review of all potentially compromised files, Blue Shield recently determined that the information affected may have included: member name, member date of birth, address, subscriber ID number, subscriber name, subscriber date of birth, subscriber Social Security number, group ID number, vision provider’s name, patient ID number, vision claims number, vision related treatment and diagnosis information, and vision related treatment cost information. There is no evidence that Blue Shield’s systems and emails were ever affected or vulnerable to this attack.
A dedicated call center has been established to answer questions. If you have any questions regarding this incident or the services available to you, please call 1- 866-983-2632 Monday through Friday from 8:00am to 7:00pm Central Time, excluding major U.S. holidays.
Below are additional helpful tips you may want to consider to protect your personal information.
Review Your Credit Reports and Account Statements & Notify Law Enforcement of Suspicious Activity
As a precautionary measure, we recommend that you remain vigilant by reviewing your credit reports and account statements closely. If you detect any suspicious activity on an account, you should promptly notify the financial institution or other company with which the account is maintained. You also should promptly report any fraudulent activity or any suspected incidents of identity theft to proper law enforcement authorities. If you believe you are the victim of identity theft or have reason to believe your personal information has been misused, you should immediately contact law enforcement, the Federal Trade Commission (“FTC”) and/or the Attorney General’s office in your home state. You can also contact these agencies for information on how to prevent or avoid identity theft, and you can contact the FTC at:
Federal Trade Commission
Consumer Response Center
600 Pennsylvania Avenue, NW
Washington, DC 20580
Copy of Credit Report
You may obtain a free copy of your credit report from each of the three major credit reporting agencies once every 12 months by visiting https://www.annualcreditreport.com, calling toll-free 877-322-8228, or by completing an Annual Credit Report Request Form and mailing it to the Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281. You can print this form at https://www.annualcreditreport.com/manualRequestForm.action. Credit reporting agency contact details are provided below.
P.O. Box 740241
Atlanta, GA 30374
P.O. Box 2002
Allen, TX 75013
P.O. Box 1000
Chester, PA 19016
When you receive your credit reports, review them carefully. Look for accounts or credit inquiries that you did not initiate or do not recognize. Look for information, such as home address and Social Security number, that is inaccurate. If you see anything you do not understand, call the credit reporting agency at the telephone number on the report.
You may want to consider placing a fraud alert on your credit file. An initial fraud alert is free and will stay on your credit file for at least 90 days. The alert informs creditors of possible fraudulent activity within your report and requests that the creditor contact you prior to establishing any accounts in your name. If you have already been a victim of identity theft, you may have an extended alert placed on your report if you provide the appropriate documentary proof. An extended fraud alert stays on your credit report for seven years. To place a fraud alert on your credit report, contact any of the three credit reporting agencies identified above.
You have the right to place a security freeze on your credit file free of charge. This will prevent new credit from being opened in your name without the use of a PIN number that is issued to you when you initiate the freeze. A security freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. As a result, using a security freeze may delay your ability to obtain credit. In order to place a security freeze, you may be required to provide the consumer reporting agency with information that identifies you including your full name; social security number; date of birth; current and prvious addresses; a copy of your state-issued identification card; and a recent utility bill, bank statement, or telephone bill.
Federal Fair Credit Reporting Act Rights
The Fair Credit Reporting Act (“FCRA”) is federal legislation that regulates how consumer reporting agencies use your information. It promotes the accuracy, fairness, and privacy of consumer information in the files of consumer reporting agencies. As a consumer, you have certain rights under the FCRA, which the FTC has summarized as follows: you must be told if information in your file has been used against you; you have the right to know what is in your file; you have the right to ask for a credit score; you have the right to dispute incomplete or inaccurate information; consumer reporting agencies must correct or delete inaccurate, incomplete, or unverifiable information; consumer reporting agencies may not report outdated negative information; access to your file is limited; you must give your consent for reports to be provided to employers; you may limit “prescreened” offers of credit and insurance you get based on information in your credit report; and you may seek damages from violators. Identity theft victims and active-duty military personnel have additional rights.
For more information about these rights, you may go to www.ftc.gov/credit or write to: Consumer Response Center, Room 13-A, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580.
If you are the victim of fraud or identity theft, you also have the right to file a police report.
You may consider starting a file with copies of your credit reports, any police report, any correspondence, and copies of disputed bills. It is also useful to keep a log of your conversations with creditors, law enforcement officials, and other relevant parties.
For Colorado and Illinois residents: You may obtain information from the Federal Trade Commission and the credit reporting agencies about fraud alerts and security freezes.
For District of Columbia residents: You may contact the Office of the Attorney General for the District of Columbia, 441 4th Street NW, Suite 110 South, Washington D.C. 20001, https://www.oag.dc.gov/, 1-202-727-3400.
For Iowa residents: You are advised to report any suspected identity theft to law enforcement, including the Federal Trade Commission and the state Attorney General.
For Maryland residents: You may contact the Office of the Maryland Attorney General, 200 St. Paul Place, Baltimore, MD 21202, http://www.marylandattorneygeneral.gov, 1-888-743-0023. The Office of the Maryland Attorney General may be able to provide you with information about the steps you can take to avoid identity theft.
For Massachusetts residents: You have the right to obtain a police report regarding this incident. If you are the victim of identity theft, you also have the right to file a police report and obtain a copy of it.
For New York residents: For more information on identity theft, you can contact the following: New York Department of State Division of Consumer Protection at http://www.dos.ny.gov/consumerprotection or (800) 697-1220 or NYS Attorney General at http://www.ag.ny.gov/home.html or (800) 771-7755.
For North Carolina residents: You may contact the North Carolina Office of the Attorney General, 9001 Mail Service Center, Raleigh, NC 27699-9001, http://www.ncdoj.gov, 1-877-566-7226. You are also advised to report any suspected identity theft to law enforcement or to the North Carolina Attorney General.
For Oregon residents: You are advised to report any suspected identity theft to law enforcement, including the FTC and the Oregon Attorney General. For more information on security locks, you can visit the Oregon Department of Consumer and Commercial Services website at www.dfcs.oregon.gov/id_theft.html and click “How to get a security freeze.”
For Iowa, Montana, New York, North Carolina, Oregon, Washington, and Washington, D.C. residents: You may obtain one or more (depending on the state) additional copies of your credit report, free of charge. You must contact each of the credit bureaus directly to obtain such additional report(s).
Blue Shield of California Contact: