BlueCross BlueShield Whistleblower Warns of Cybersecurity Vulnerabilities

An internal whistleblower has raised concerns about the cybersecurity of Minnesota's largest health insurer, BlueCross BlueShield. 

As reported yesterday by the Star Tribune newspaper, the whistleblower expressed concern that BlueCross BlueShield had left its system vulnerable to attack by neglecting to make thousands of important updates to its computer system.

Internal documents show that despite warnings to executives, 200,000 vulnerabilities that were deemed “critical” or “severe” were left to fester on the company's computer systems. In most cases, software patches to fix the issues were available. 

Documents obtained by the newspaper show that as far back as August 2018, cybersecurity engineer Tom Yardic met with executives to share concerns that important patches hadn't been installed.

Frustrated with their response, Yardic went on to email his concerns to the company's CEO and board of trustees on September 16. 

“I am sending this e-mail because I have been unable to impact the situation within the avenues the organization provides,” wrote Yardic. “What has not happened is a serious attempt to remedy the situation.”

In a statement emailed to the Star Tribune, the company's chief information security officer, Amy Ecklund, said that BlueCross BlueShield is working hard to cut the number of security vulnerabilities down before the end of the year. 

"We certainly understand that our members expect us to protect their most sensitive data, and we want them to know that we are committed every single day to doing just that," said Ecklund.

BlueCross BlueShield Minnesota insures 2.8 million people. To date, the company has not reported a data beach of ..

Support the originator by clicking the read the rest link below.