Blue Cross and Blue Shield of North Carolina periodically shares the private personal and health information of hundreds of thousands of clients with a third-party company that designs the insurance company’s software system, documents and interviews show.
Internal documents obtained by The News & Observer reveal an ongoing discussion within Blue Cross about whether to scramble or “mask” the data before sending it outside the company’s secure production area. The company so far has decided that isn’t feasible.
Some computer experts and insurers say that Blue Cross should obscure the data before sharing the information, which includes names, addresses and Social Security numbers in addition to medical information. One of Blue Cross’ competitors does not send private data to third-party vendors, while a second does.
Blue Cross officials say they maintain their members’ privacy with a wide variety of tools: strict contractual agreements, limited access to the data, and a robust net of software and hardware that controls how the data is used. Outside auditing companies have given high marks to Blue Cross, they said. And Blue Cross officials say they have never had a security or privacy breach.
“Security is a very high priority at Blue Cross,” said chief information officer Jo Abernathy. “We can’t do business if we can’t demonstrate our ability to protect customer data.”
Abernathy said Blue Cross is an acknowledged industry leader in protecting customer data. The use of outside vendors to test and create data systems using private, unmasked information is common in health care and other industries, she said.
Abernathy acknowledged that Blue Cross periodically sends large data sets to DST Healthcare, its software designer, which is headquartered in Missouri. For example, in 2010 the company selected 845,861 clients and sent their complete data to DST, according to a 2010 memo on data transfer.
Abernathy said DST is bound by contract and federal privacy rules to protect the information.
But some experts point to the risk posed by rogue employees, citing the example of Edward Snowden, the Booz Allen employee who leaked materials about classified spying and surveillance programs. And while Snowden said he was acting as a whistleblower and not for personal profit, the Blue Cross data, with personal, health and financial information, could be extremely valuable for those interested in identity theft.
Testing with real data
Gary McGraw is the chief technology officer at Cigital, a computer security company whose clients include Bank of America, Goldman Sachs, the anti-virus firm Symantec and eBay, the online auction house.
McGraw said companies should never use actual private data to develop and test systems.
“That is really bad,” he said. “You don’t want to do testing with real data. ... We worry about leakage all the time.”
Robert Gellman, a privacy consultant from Washington, D.C., said insurance companies routinely share private health information with other health care firms, such hospitals, doctors or pharmacies, but other vendors are different.
“It’s pretty dumb to give it to a contractor to build software,” Gellman said. “You could find another way rather than send raw data. If there is a theft, someone steals a computer, takes home a memory stick, then you have a data breach, and it’s very expensive, millions of dollars, to remediate a data breach.”
A question of ‘masking’
Blue Cross is the biggest private health insurer in North Carolina, with 3.7 million members. Its customers include the State Employees Health Plan and Duke Energy Progress. In 2012, the not-for-profit insurer had $5.7 billion in revenue and net income of $58 million.
Like all insurers, Blue Cross holds an immense amount of private health information: name, date of birth, Social Security number, address, past addresses, medical history, security question and answers, employer, banking information and more.
Blue Cross stores that information in what is known as the production region, where the insurer processes and pays claims.
By all accounts, the production region at Blue Cross is secure. The concern arises when Blue Cross copies data from the production region to the test region, where software is written and tested, or from there to outside contractors.
Dana Cope is director of the N.C. State Employees Association, whose members’ health plan is administered by Blue Cross. He said he’s concerned about the use of unmasked data.
“Masking data is a reasonable request,” he said. “Maybe there’s a reason why it can’t be done.”
Duke Energy spokesman Dave Scanzoni said his company did not know that Blue Cross shared its employees’ data with outside vendors. “We take data privacy very seriously,” he said. “We’re confident in the ability of Blue Cross to protect our employees’ data.”
Trouble with security breaches has cropped up elsewhere, including other Blue Cross organizations, but not at Blue Cross in North Carolina. In 2009, the Federal Aviation Administration notified employees that a hacker stole the personal information of about 45,000 employees and retirees. Most of the breached files were test files used for application development, and two contained names and Social Security numbers.
Blue Cross has never had a security breach, officials said, and has never had its names posted on the federal “Wall of Shame” listing privacy and security breaches.
Debate within Blue Cross
Internal correspondence shows that there has been an ongoing discussion for years within Blue Cross about sharing private data without masking it, which would involve scrambling Social Security numbers or changing names and addresses to remove a person’s identity.
In August 2009, Gary Kilmer, a Blue Cross senior project manager, was preparing to send data into the test region. He asked in an email: “Do we have to be concerned with masking” private health information?
Steve McGehee, IT security architect for Blue Cross, responded that Blue Cross historically defended using actual data in the test region “on the grounds that it is cost prohibitive to reproduce volumes of functional test data across all of our integrated and inter-dependent systems.”
Privacy officer Jackie Chapman-Pointer then recommended using real data “when it is truly the most reasonable and feasible way to accomplish the task. ... My preference and recommendation is to use dummy or de-identified data when possible.”
Masking proposal rejected
In March 2012, Blue Cross solicited a bid from Fujitsu America to mask data in the company’s test region as well as for outside vendors.
According to the Fujitsu proposal, Blue Cross is committed to integrity and best practices, but ensuring the privacy and security of data was becoming increasingly difficult, with the use of more vendors in the U.S. and elsewhere. Previous efforts at masking data at Blue Cross had failed, Fujitsu said.
Fujitsu proposed a $115,000 bid to design and test a limited trial project. Blue Cross did not proceed with that project and does not mask its data, said Abernathy, the Blue Cross CIO.
She said it was unfair to cherry pick information from old emails. Blue Cross constantly reviews its security practices and thoroughly vets and audits its vendors, she said.
Blue Cross is working on a trial data-masking project, she said, but the company has such a large and complicated computer system that it is difficult to use scrambled data and make sure that all the various systems and programs work correctly with each other, she said. Cost was not the issue, she said.
What other insurers do
Other insurance companies gave differing answers on their practices.
“We only share aggregated or masked data,” said Joseph Mundy, a Cigna spokesman. “It’s hard to see why it’s not being masked.”
Aetna spokesman Timothy Willeford said the company only shares private health information in limited situations under terms similar to those at Blue Cross: The vendor has passed a security review and has signed a contract compliant with federal privacy laws, and Aetna provides only the minimum necessary data for the job.
Susan Adams, a lawyer and privacy expert at Dartmouth, said the increasing use of electronic medical records will probably increase the sharing of private health information. It should be done as little as possible, she said.
“Outsourcing is everywhere,” Adams said. “The key is to use the minimum information necessary for the purpose.”