Data breach hits members of BlueCross BlueShield of Tennessee's vision care vendor

Hacker dark face using laptop in the dark room id theft steal i.d. theft tile / Getty Images
Hacker dark face using laptop in the dark room id theft steal i.d. theft tile / Getty Images

The vision care vendor for Tennessee's biggest health insurer was hacked last month, potentially impacting about 1,300 members of BlueCross BlueShield of Tennessee.

The Chattanooga-based health insurer said EyeMed has been the victim of a cyberattack that resulted in a data breach. Although there is no evidence yet that anyone's information was stolen or misused, EyeMed is informing its customers who may have had their data compromised and is offering assistance to those with questions, including free credit monitoring services.

On July 1, EyeMed learned an unauthorized individual accessed an EyeMed email box and sent phishing emails to addresses contained in the mailbox's address book.

After discovering the incident, EyeMed blocked the unauthorized individual's access and hired a cybersecurity firm to investigate. The accessed mailbox contained information about current and former recipients of vision benefits through EyeMed, including approximately 1,300 BlueCross members.

BlueCross spokesman John Hawbacker said the investigation revealed that the potentially accessed personal information included full name, address, date of birth, phone number, email address, vision insurance account/ID number, health insurance ID number, treatment information and Social Security numbers.

The Cincinnati, Ohio-based EyeMed, which provides vision care to health insurers across the country, said it has enhanced its protections by implementing additional security measures, including augmented access controls to the EyeMed network and supplemental security awareness training for personnel.

Eyecare conglomerate Luxottica of America, which operates EyeMed, also as hit in August when a threat actor gained access to the web-based appointment scheduling application managed by Luxottica. The information was used by its eyecare providers to help patients make appointments. The hack went on for four days before it was detected.

- Compiled by Dave Flessner