Blue Cross Blue Shield of Minnesota, which is Minnesota’s biggest health insurance company, is presently trying to take care of approximately 200,000 unaddressed vulnerabilities detected on its servers, a number of which are above a decade old.
In August 2018, Tom Yardic, cybersecurity engineer at BCBS Minnesota, discovered that patches were not applied to its servers, in spite of the critical or severe vulnerabilities. Even after Tom Yardic spoke about the issue with the BCBS Minnesota officers, there was no action undertaken. After one month, Tom Yardic informed the BCBS Minnesota board of trustees so as to encourage taking action on the vulnerabilities.
A recent Star Tribune report talked about evidence that BCBS Minnesota had not dealt with the vulnerabilities for a couple of years. There were approximately 200,000 unresolved severe or critical vulnerabilities on around 2,000 servers involved. Of all the vulnerabilities, around 44% were more than 3 years old and 12% were more than 10 years old.
BCBS Minnesota has around 3.9 million plan members. Not fixing the vulnerabilities in an acceptable time frame puts sensitive information at stake.
The Star Tribune spoke to BCBS Minnesota officers who said that they are currently resolving the vulnerabilities and said they’re looking to fix the vulnerabilities as much as they can prior to the end of the year. As mentioned by the Star Tribune, Minnesota Blue Cross did not contradict the correctness of the total number of their past vulnerabilities, however, the insurer said that the number of unaddressed vulnerabilities now is considerably lower, especially on workstations.
It isn’t uncommon for a cybersecurity engineer to make a move to resolve the vulnerabilities. It is alarming though for a company to take a long time to do something particularly after being aware of the cyberattacks on Excellus BCBS, Premera Blue Cross, and Anthem Inc. in 2015, which brought about the stealing of the protected health information (PHI) of about 99.8 million Americans.
What is surprising is the fact that BCBS Minnesota did not report to the HHS Office for Civil Rights even one data breach despite having a huge number of unaddressed vulnerabilities. There is no data breach reported by BCBS Minnesota among the published breach summaries on OCR’s breach portal since 2009.