An internal whistleblower has raised concerns about the cybersecurity of Minnesota's largest health insurer, BlueCross BlueShield.
As reported yesterday by the Star Tribune newspaper, the whistleblower expressed concern that BlueCross BlueShield had left its system vulnerable to attack by neglecting to make thousands of important updates to its computer system.
Internal documents show that despite warnings to executives, 200,000 vulnerabilities that were deemed “critical” or “severe” were left to fester on the company's computer systems. In most cases, software patches to fix the issues were available.
Documents obtained by the newspaper show that as far back as August 2018, cybersecurity engineer Tom Yardic met with executives to share concerns that important patches hadn't been installed.
Frustrated with their response, Yardic went on to email his concerns to the company's CEO and board of trustees on September 16.
“I am sending this e-mail because I have been unable to impact the situation within the avenues the organization provides,” wrote Yardic. “What has not happened is a serious attempt to remedy the situation.”
In a statement emailed to the Star Tribune, the company's chief information security officer, Amy Ecklund, said that BlueCross BlueShield is working hard to cut the number of security vulnerabilities down before the end of the year.
"We certainly understand that our members expect us to protect their most sensitive data, and we want them to know that we are committed every single day to doing just that," said Ecklund.
BlueCross BlueShield Minnesota insures 2.8 million people. To date, the company has not reported a data beach of its own systems.
The personal data of 11,000 members of Minnesota's Supervalu Group Health Plan were breached in 2015 after Minnesota BlueCross BlueShield stored their information on vulnerable computers owned by another BlueCross licensee, now known as Anthem Inc.
“Protecting our members’ information is our top priority, and our efforts are ongoing,” Minnesota BlueCross BlueShield officials said via email. “As with all companies holding sensitive information, we remain vigilant in our security systems and testing, but we will always strive to do more.”