BCBS Plans Offer Blanket ID ProtectionCredit and ID Fraud Protection Offer Comes After Breaches
In the wake of large hacking attacks against several of its affiliates in recent months, the Blue Cross Blue Shield Association says all 36 of its affiliated health plans will begin offering free identity protection services to their members for as long as they're enrolled in insurance coverage. The services will include credit monitoring as well as fraud detection and resolution.
Although details of the extraordinary offer are still being worked out, the association says the ID protection services will be available no later than Jan. 1, 2016, to all 106 million individuals who are members of Blues plans nationwide. Individual plans will be reaching out to members, who can opt in to sign up for the services, a BCBSA spokeswoman tells Information Security Media Group.
Certain exceptions may apply, for instance, if an employer decides to opt out of the offering from a Blues plan, she said.
The offer from the Blues plans comes in the wake of hacker attacks earlier this year at Anthem Inc., which resulted in a breach impacting more than 79 million individuals; Premera Blue Cross, which affected about 11 million; and CareFirst Blue Cross Blue Shield, which impacted 1.1 million.
While those hacked Blues plans are already offering affected individuals free credit and identity monitoring services, their offers are for limited periods.
Many of the individuals whose data was potentially compromised by those hacker breaches were former Blues members. Only individuals who are active Blues plan members are eligible for the new, extended credit and ID protection offer.
The offer for potentially perpetual credit and ID monitoring by BCBSA plans appears to be the most generous of any company dealing with the aftermath of a massive data breach, says privacy attorney Adam Greene of the law firm Davis Wright Tremaine.
"I don't expect to see many companies following suit and offering indefinite identity theft protection, other than potentially companies that suffer large breaches and have an ongoing contract with consumers," he says. "For example, a retailer may be less likely to offer the services since the consumer may not even shop at the retailer again. But some credit card companies are already providing their customers with credit scores on a monthly basis and could potentially expand this to offering identity theft protection services in the future."
Most companies that experience data breaches typically extend offers for free credit monitoring and ID fraud protection for a year, maybe two. "We do believe that our offer is the most extensive in the healthcare industry," a BCBSA source tells ISMG.
The offer for seemingly endless credit monitoring protection for Blues plan members also addresses common concerns by critics who point out that ID theft and fraud can potentially result from data breaches years after an incident has occurred.
"The new services will provide heightened safeguards in the event of fraudulent use of personal and financial information for the millions of Americans that BCBS companies serve," the association says in a statement.
The services will be administered by third-party identity protection companies, which the association did not identify. They include:
- Credit monitoring for activity that may affect a member's credit;
- Fraud detection to identify potentially fraudulent use of a member's identity or credit;
- Fraud resolution support to assist members in addressing issues that arise in relation to credit monitoring and fraud detection.
"This effort is part of our focus on applying cutting-edge security practices and protocols for Blue companies," Scott Serota, president and CEO of BCBSA, said in a statement.
"In an increasingly digital world, cyber-attacks are now a core threat to every business and government entity," the association said in its statement. "BCBS companies have taken aggressive steps to fortify protections for customers and lead the healthcare industry in the area of cybersecurity practices. The identity protection services being offered are the latest example of The Blues commitment to member safety and security."
Bolstering Legal Defense?
The ID protection offer potentially could help in fighting the variety of class action lawsuits that have been filed against Anthem and other Blues plans in the wake of the breaches, Greene says.
"I do think that this level of protection bolsters litigation defense," he says. Otherwise, when a company offers identity theft protection over a fixed period, plaintiffs can allege damages on the basis that any identity theft could occur after the identity theft protection expires. Such speculative damages, though, have not been very successful so far in litigation."
While the offer by the Blues plans is generous, it won't solve all problems related to potential post-breach fraud, says Ann Patterson, senior vice president and program director of the Medical Identity Fraud Alliance.
"I would keep in mind that credit and financial fraud monitoring is excellent for instances where financial information was part of the data breach, however, most unfortunately, it will likely not be an early indicator of medical ID fraud in the event health plan IDs and Social Security numbers are compromised," she says. "It is still extremely important to self-monitor and carefully review your explanation of benefits [forms] and any other medical correspondence, whether from a healthcare provider or a health plan."
Privacy advocate Deborah Peel, M.D., founder of Patient Privacy Rights, offers a similar perspective." Offering ID theft protection doesn't do much of anything. And identify theft is easy to detect and repair, even without a company to track things for you. But medical ID theft can take years to discover and there is no clear path to fix the harms," she says. "Medical ID theft is the real problem that hardly any companies are addressing."