In 2018, the MyFitnessPal app was hacked, affecting 150 million users. The hack exposed the login credentials for app users; a year later, it was discovered that the stolen credentials were being sold on the dark web. Recently, that breach led to another, the Independence Blue Cross breach.
Independence Blue Cross Breach: What Happened
On May 8, 2020, Independence Blue Cross Privacy Office was notified that plan members’ protected health information (PHI) had been accessed by an unauthorized party. Upon further investigation, it was discovered that their member portal had been accessed from March 17, 2020 to April 30, 2020. Members affected by the breach had login credentials that had been exposed in a previous breach. Passwords previously exposed in the 2018 MyFitnessPal app were used to access the Independence member portal.
It is unclear as to how many plan members were affected by the Independence Blue Cross breach, however, the exposed information included member names, identification numbers, claims data, spending account balances, provider information, prescription information, and plan types.
In response to the breach, Independence is offering 24 months of free credit monitoring and identity protection services to exposed plan members. Additionally, Independence reviewed their internal policies and procedures, and has implemented additional technical controls to prevent similar incidents from occurring in the future.
Independence Blue Cross Breach: How it Could Have Been Prevented
Since the Independence Blue Cross breach stemmed from an unrelated breach, preventing this breach comes down to the members. Generally, when a user’s login credentials are potentially exposed by an app, the company, in this case MyFitnessPal, alerts users that their login information was compromised. Often, people use the same login credentials to access multiple sites, which was the case in this instance. This is why when users are notified that their login credentials may have been exposed, it is important that they change their passwords for other accounts that use the same login information.