HIPAA Substitute Notice

On June 12, 2024, Blue Cross and Blue Shield of North Carolina ("Blue Cross NC") met with its wellness vendor, Rally Health, Inc. (“Rally”), to discuss a noted uptick in gift card redemptions on the Rally website and what appeared to be suspicious email addresses associated with the redemptions. From Rally’s investigation, it appeared that an unauthorized party was accessing the Rally wellness portal from a link within the Blue Cross NC member portal (“Blue Connect℠”) and then creating new accounts in the Rally wellness portal. Rally noted that once the new account was created, the unauthorized party then completed certain activities to earn rewards that were then redeemed for gift cards on the same day.

Upon learning of this activity, Blue Cross NC immediately launched its own investigation and engaged counsel, which engaged third-party experts to determine the nature and scope of the incident. Based on the investigation, it appears that between May 21, 2024, and June 19, 2024, the unauthorized party utilized usernames and passwords that came from sources unrelated to Blue Cross NC to access Blue Connect accounts. Once in the accounts, the unauthorized party then navigated through various pages within Blue Connect in order to obtain enough information to create an account in the Rally wellness portal. In some instances, the unauthorized party accessed the Blue Connect account of an individual who did not have Rally wellness as a benefit and, therefore, was unable to create a Rally account.

On July 1, 2024, Blue Cross NC was able to identify some of the individuals that might have been impacted by the incident.  On or about August 8, 2024, Blue Cross NC concluded its investigation and was able to identify all individuals potentially impacted by the incident.   

The unauthorized party was able to access pages in the Blue Connect portal that contained your name, subscriber ID number, group name and number, date of birth, and, if applicable, similar information for other individuals (dependents) on your plan. No other information in Blue Connect was impacted by this incident, and there was no access to any other types of personal information, such as Social Security number, financial account information, or any health or treatment information, such as claims. 

When Blue Cross NC learned of this incident, we took immediate steps to ensure that we were addressing this incident and mitigating any potential risks for our members. Although this incident only affected a very small number of Blue Connect accounts, we reset all Blue Connect passwords and required new passwords to be longer. We also removed dates of birth from Blue Connect accounts and further enhanced our security and monitoring controls to prevent similar unauthorized activity in the Blue Connect portal. Blue Cross NC also made a report to law enforcement.

In addition, while we have no reason to believe that this incident will cause any problems for you, we want to make you aware of steps you may take to guard against identity theft or fraud. Please review the Reference Guide below for information on general steps you can take to monitor and protect your personal information. If you think that your personal information is being improperly used in any manner, you can contact the Federal Trade Commission at 877-ID-THEFT (877-438-4338).

If you have any questions, you may call the toll-free customer service number on the back of your member ID card or call 888-206-4697.

Blue Cross NC sincerely regrets this matter and any inconvenience it may have caused you. Please be assured that Blue Cross NC is committed to safeguarding your personal information and providing quality services to all our customers. 

Carefully review statements sent to you from providers as well as from your insurance company to ensure that all of your account activity is valid. Report any questionable charges promptly to the provider’s billing office, or for insurance statements, to your insurance company.

Your health care provider’s office may ask to see a photo ID to verify your identity.  Please bring a photo ID with you to every appointment if possible.  Your provider’s office may also ask you to confirm your date of birth, address, telephone, and other pertinent information so that they can make sure that all of your information is up-to-date.  Please be sure and tell your provider’s office when there are any changes to your information.  Carefully reviewing this information with your provider’s office at each visit can help to avoid problems and to address them quickly should there be any discrepancies.

To order your free annual credit report, visit www.annualcreditreport.com, call toll-free at 877-322-8228, or complete the Annual Credit Report Request Form on the US Federal Trade Commission’s (“FTC”) website at www.ftc.gov and mail it to Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281.  The 3 credit bureaus provide free annual credit reports only through the website, toll-free number or request form.

Upon receiving your credit report, review it carefully.  Look for accounts you did not open.  Look in the “inquiries” section for names of creditors from whom you have not requested credit.  Some companies bill under names other than their store or commercial names; the credit bureau will be able to tell if this is the case.  Look in the “personal information” section for any inaccuracies in information (such as home address and Social Security Number). 

If you see anything you do not understand, call the credit bureau at the telephone number on the report.  Errors may be a warning sign of possible identity theft.  You should notify the credit bureaus of any inaccuracies in your report, whether due to error or fraud, as soon as possible so the information can be investigated and, if found to be in error, corrected.  If there are accounts or charges you did not authorize, immediately notify the appropriate credit bureau by telephone and in writing.  Information that cannot be explained should also be reported to your local police or sheriff’s office because it may signal criminal activity. 

If you detect any unauthorized transactions in any of your financial accounts, promptly notify the appropriate payment card company or financial institution. If you detect any incidents of identity theft or fraud, promptly report the matter to your local law enforcement authorities, state Attorney General and the FTC.

You can contact the FTC to learn more about how to protect yourself from becoming a victim of identity theft by using the contact information below:

Federal Trade Commission
Consumer Response Center
600 Pennsylvania Avenue, NW
Washington, DC 20580
877-ID-THEFT (877-438-4338)
www.ftc.gov/idtheft

To protect yourself from possible identity theft, consider placing a fraud alert on your credit file. A fraud alert helps protect against the possibility of an identity thief opening new credit accounts in your name.  When a credit grantor checks the credit history of someone applying for credit, the credit grantor gets a notice that the applicant may be the victim of identity theft.  The alert notifies the credit grantor to take steps to verify the identity of the applicant. You can place a fraud alert on your credit report by calling any one of the toll-free fraud numbers provided below. You will reach an automated telephone system that allows flagging of your file with a fraud alert at all 3 credit bureaus.

Equifax
P.O. Box 105069
Atlanta, Georgia 30348
800-525-6285
www.equifax.com

Experian
P.O. Box 2002
Allen, Texas 75013
888-397-3742
www.experian.com

TransUnion
P.O. Box 2000
Chester, PA 19016
800-680-7289
www.transunion.com

You have the right to request a credit freeze from a consumer reporting agency, free of charge, so that no new credit can be opened in your name without the use of a PIN number that is issued to you when you initiate a freeze.  A security freeze is designed to prevent potential credit grantors from accessing your credit report without your consent. If you place a security freeze, potential creditors and other third parties will not be able to get access to your credit report unless you temporarily lift the freeze. Therefore, using a security freeze may delay your ability to obtain credit. 

Unlike a fraud alert, you must separately place a security freeze on your credit file at each credit bureau. To place a security freeze on your credit report you must contact the credit reporting agency by phone, mail, or secure electronic means and provide proper identification of your identity. The following information must be included when requesting a security freeze (note that if you are requesting a credit report for your spouse, this information must be provided for him / her as well): (1) full name, with middle initial and any suffixes; (2) Social Security number; (3) date of birth; (4) current address and any previous addresses for the past five years; and (5) any applicable incident report or complaint with a law enforcement agency or the Registry of Motor Vehicles. The request must also include a copy of a government-issued identification card and a copy of a recent utility bill or bank or insurance statement. It is essential that each copy be legible, display your name and current mailing address, and the date of issue.

Below, please find relevant contact information for the 3 consumer reporting agencies:
 

Equifax Security Freeze
P.O. Box 105788
Atlanta, Georgia 30348
888-298-0045
www.equifax.com

Experian Security Freeze
P.O. Box 9554
Allen, Texas 75013
888-397-3742
www.experian.com

TransUnion Security Freeze
P.O. Box 160
Woodlyn, PA 19094
888-909-8872
www.transunion.com

Once you have submitted your request, the credit reporting agency must place the security freeze no later than 1 business day after receiving a request by phone or secure electronic means, and no later than 3 business days after receiving a request by mail. No later than 5 business days after placing the security freeze, the credit reporting agency will send you confirmation and information on how you can remove the freeze in the future.

You may also obtain information about preventing and avoiding identity theft from the North Carolina Attorney General’s Office:

North Carolina Attorney General’s Office, Consumer Protection Division
9001 Mail Service Center
Raleigh, NC 27699-9001
877-5-NO-SCAM
www.ncdoj.gov

You may also obtain information about preventing and avoiding identity theft from the Maryland Office of the Attorney General:

Maryland Office of the Attorney General, Consumer Protection Division
200 St. Paul Place
Baltimore, MD 21202
888-743-0023
www.marylandattorneygeneral.gov

You have the right to obtain a police report with respect to this incident.  If you are the victim of identity theft, you also have the right to file a police report and obtain a copy of it.

You may also obtain information about security breach response and identity theft prevention and protection from the New York Attorney General’s Office:

Office of the Attorney General
The Capitol
Albany, NY
12224-0341
800-771-7755
www.ag.ny.gov