Blue Shield of California (“Blue Shield”) received notification from J.D. Gilmour, a third-party insurance broker, that it experienced a data security incident that may have impacted certain personal information pertaining to Blue Shield members. We take the security of personal information very seriously, and we apologize for any inconvenience this incident may cause. This notice is intended to provide notice of the Incident, steps being taken in response to the Incident, and resources available to help you protect against the potential misuse of information. At this time, we have not received any reports of related misuse of health information since the date of the Incident.
On June 29, 2023, J.D. Gilmour, an insurance broker for Blue Shield of California (“Blue Shield”), became aware of potential unauthorized access to its e-mail environment (the “Incident”). Upon discovering the Incident, J.D. Gilmour immediately engaged a third-party cybersecurity forensic team to conduct a thorough investigation into its entire e-mail tenant and determine the nature and scope of the Incident. On August 2, 2023, the forensic investigation determined that an unknown party had gained unauthorized access to one (1) J.D. Gilmour employee e-mail user account.
Based upon this finding, J.D. Gilmour engaged a third-party data mining vendor to review the data within the compromised e-mail user account and determine whether personal information was maintained therein during the time of the Incident. On October 27, 2023, J.D. Gilmour completed its investigation of the data maintained within the compromised e-mail user account and determined that some member protected health information, related to their coverage with Blue Shield, was impacted as a result of the Incident. On November 29, 2023, J.D. Gilmour provided Blue Shield with a list of individuals impacted by the Incident.
Based upon the results of the investigation, the information that was impacted potentially included: member name, address, date of birth, Social Security number, health insurance information, health benefit plan names, health insurance policy numbers, billing/claim information, subscriber member number, health insurance group numbers, medical information, mental or physical condition and treatments, dates of service, diagnosis, treatment location, and provider names. Please note that to date, the investigation has found no evidence of actual or attempted misuse of personal information as a result of this incident.
J.D. Gilmour is working with cybersecurity experts to determine the actions to take in response to the incident. Together, J.D. Gilmour and Blue Shield continue to investigate and closely monitor the situation. Further, we are taking steps to strengthen our security posture to prevent a similar event from occurring again in the future.
We encourage you to remain vigilant, monitor your accounts, and immediately report any suspicious activity or suspected misuse of your personal information. Below are additional helpful tips you may want to consider to protect your personal information, such as the implementation of fraud alerts and security freezes. Please know that the protection of your personal information is a top priority, and we sincerely apologize for any concern or inconvenience that this matter may cause you. Should you have any questions not addressed in this notice, please do not hesitate to call 1-833-892-4287, Monday through Friday, 8:00 A.M. to 8:00 P.M. Eastern Standard Time, except holidays.
Additional Important Information
For residents of Hawaii, Michigan, Missouri, Virginia, Vermont, and North Carolina: It is recommended by state law that you remain vigilant for incidents of fraud and identity theft by reviewing credit card account statements and monitoring your credit report for unauthorized activity.
For residents of Illinois, Iowa, Maryland, Missouri, North Carolina, Oregon, and West Virginia: It is required by state laws to inform you that you may obtain a copy of your credit report, free of charge, whether or not you suspect any unauthorized activity on your account. You may obtain a free copy of your credit report from each of the three nationwide credit reporting agencies. To order your free credit report, please visit www.annualcreditreport.com, or call toll-free at 1-877-322-8228. You can also order your annual free credit report by mailing a completed Annual Credit Report Request Form (available at https://www.consumer.ftc.gov/articles/0155-free-credit-reports) to: Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA, 30348-5281.
For residents of Iowa: State law advises you to report any suspected identity theft to law enforcement or to the Attorney General.
For residents of Oregon: State laws advise you to report any suspected identity theft to law enforcement, including the Attorney General, and the Federal Trade Commission.
For residents of Maryland, Rhode Island, Illinois, New York, and North Carolina: You can obtain information from the Maryland and North Carolina Offices of the Attorney General and the Federal Trade Commission about fraud alerts, security freezes, and steps you can take toward preventing identity theft.
Maryland Office of the Attorney General Consumer Protection Division, 200 St. Paul Place, Baltimore, MD 21202, 1-888-743-0023, www.oag.state.md.us
Rhode Island Office of the Attorney General Consumer Protection, 150 South Main Street, Providence, RI 02903, 1-401-274-4400, www.riag.ri.gov
North Carolina Office of the Attorney General Consumer Protection Division, 9001 Mail Service Center, Raleigh, NC 27699-9001, 1-877-566-7226, www.ncdoj.com
Federal Trade Commission Consumer Response Center, 600 Pennsylvania Ave, NW Washington, DC 20580, 1-877- IDTHEFT (438-4338), www.ftc.gov/idtheft
New York Office of Attorney General Consumer Frauds & Protection, The Capitol, Albany, NY 12224, 1-800-771-7755, https://ag.ny.gov/consumer-frauds/identity-theft
For residents of Massachusetts: It is required by state law that you are informed of your right to obtain a police report if you are a victim of identity theft.
For residents of all states -
Fraud Alerts: You can place fraud alerts with the three credit bureaus by phone and online with Equifax (https://assets.equifax.com/assets/personal/Fraud_Alert_Request_Form.pdf); TransUnion (https://www.transunion.com/fraud-alerts); or Experian (https://www.experian.com/fraud/center.html). A fraud alert tells creditors to follow certain procedures, including contacting you, before they open any new accounts or change your existing accounts. For that reason, placing a fraud alert can protect you, but also may delay you when you seek to obtain credit. As of September 21, 2018, initial fraud alerts last for one year. Victims of identity theft can also get an extended fraud alert for seven years. The phone numbers for all three credit bureaus are at the bottom of this page.
Monitoring: You should always remain vigilant and monitor your accounts for suspicious or unusual activity.
Security Freeze: You also have the right to place a security freeze on your credit report. A security freeze is intended to prevent credit, loans, and services from being approved in your name without your consent. To place a security freeze on your credit report, you need to make a request to each consumer reporting agency. You may make that request by certified mail, overnight mail, regular stamped mail, or by following the instructions found at the websites listed below. The following information must be included when requesting a security freeze (note that if you are requesting a credit report for your spouse or a minor under the age of 16, this information must be provided for him/her as well): (1) full name, with middle initial and any suffixes; (2) Social Security number; (3) date of birth; (4) current address and any previous addresses for the past five years; and (5) any applicable incident report or complaint with a law enforcement agency or the Registry of Motor Vehicles. The request must also include a copy of a government-issued identification card and a copy of a recent utility bill or bank or insurance statement. It is essential that each copy be legible, display your name and current mailing address, and the date of issue. As of September 21, 2018, it is free to place, lift, or remove a security freeze. You may also place a security freeze for children under the age of 16. You may obtain a free security freeze by contacting any one or more of the following national consumer reporting agencies:
Equifax Security Freeze P.O. Box 105788 Atlanta, GA 30348, equifax.com/personal/credit-report-services/, 1-800-349-9960
Experian Security Freeze P.O. Box 9554 Allen, TX 75013, experian.com/freeze/center.html, 1-888-397-3742
TransUnion Security Freeze P.O. Box 160 Woodlyn, PA 19094, transunion.com/credit-freeze, 1-888-909-8872
More information can also be obtained by contacting the Federal Trade Commission listed above.