Yesterday we received mail from some random company I've never heard of notices telling myself, my wife and our 24 year old daughter that this company, a third party vendor to Blue Cross, had forgot to lock the back door and got hacked. This is their description of the incident:

Quote:

---

On January 13, 2025 we discovered that we were the victim of a cyber incident that impacted a limited portion of our network….Our investigation determined that an unauthorized third party had access to our environment from October 21, 2024 to January 13, 2025, and obtained some files associated with Blue Cross and Blue Shield of Texas….

The affected files contained your name and the following: address, date of birth, and Social Security number.

---

To be clear I'm not one that believes everyone that wants my information doesn't already have it. We give out information like candy these days so I'm not naive enough to believe nobody knows my SSN. I keep my credit frozen for this very reason. Still, it's been a ****ing year and you're just now getting around to telling me you gave my information to someone else? Seriously?

This is the kind of ish that makes people like me want more government. It's been 358 days since you found out. That's simply unacceptable. Then of course they said they've arranged for one year of free credit monitoring and I have less than 90 days to sign up. How magnanimous of them.

I know there are some IT people here. Is it not possible to notify people impacted within 90 days that you ****ed up? I'm frankly not even bothered it happened but I am bothered it took a year to tell me. It's like your wife giving birth to what is obviously the neighbor's kid then deciding to tell you they had a one night stand. It seems like there needs to be a limit to how long they have before they notify impacted people. Maybe 90 days for a preliminary notice saying there was an incident and promising more info when it's available then offering the identity theft monitoring right then and there.

Then again all of the info they gave away except my SSN is for sale at the county tax office so maybe this isn't that big of a deal. I don't know. What am I missing?

Seems slow but, what they said is:
They discovered the attack on 1/13/2025.

Then they did an investigation to determine the exposure.

They didn't say how long that investigation took.

And after the investigation reached its conclusion, no doubt they had to check with their lawyers to figure out how to respond.

Depending on their IT systems - network monitoring, backup & recovery, etc., the investigation could have easily taken 3-6 months to complete.

I can't speak to BCBS Texas but working with them in California, they whacked some of their best IT workers back in late 2021 because they refused to take the vax. So, it's been working with the B Team or worse for the past 4 years.

Hate to break it to you but your birthday SSN and address got hacked a long time ago. You just didn't know it

Go pay one of those services like Experian etc that do dark web scans for you. After your head explodes, come back and tell us how much you care about your OP.

Most privacy laws say that you must notify people within 30-45 days (depends on the state) of the conclusion of the incident investigation with an exception for law enforcement involvement which might drag it out.

That said, only California has a true enforcement agency and severe enough penalties to hold people accountable otherwise it falls on the state AG who has a lot bigger fish to fry than fining companies $250-500k.

WestHoustonAg79 said:

---

Go pay one of those services like Experian etc that do dark web scans for you. After your head explodes, come back and tell us how much you care about your OP.

---

I almost spit out my coffee laughing at this.

People don't understand that it's a WHEN, not an IF.

WestHoustonAg79 said:

---

Go pay one of those services like Experian etc that do dark web scans for you. After your head explodes, come back and tell us how much you care about your OP.

---

Wasn't the biggest leak of all from Experian? Makes it easy for them to track their own data.

I have no idea. I just use Experian to track and mainly freeze my credit. Comes with the dark web scan and I feel like damn near every site has been hacked at some point. It's to the point you can't worry about it until something happens bc everyone's sensitive info is all over the place.

G. hirsutum Ag said:

---

Hate to break it to you but your birthday SSN and address got hacked a long time ago. You just didn't know it

---

I literally said that in my OP you didn't read.

WestHoustonAg79 said:

---

Go pay one of those services like Experian etc that do dark web scans for you. After your head explodes, come back and tell us how much you care about your OP.

---

Same for you. Literally said that data is already out there in the OP you didn't read.

I'm questioning a year to notify me, not the exposure itself.

Notifications like these are always delayed and give the affected party little to no recourse. Seems pretty standard.

ts5641 said:

---

It almost seems like monthly we get some notification some vendor or 3rd party has had an info leak. It's gotten completely out of hand. Cybersecurity sucks balls.

---

Pretty much, and it's almost always a 3rd party who is the cause of the actual breach.

OP...

stop using "PASSWORD" as your password. HTH

LOYAL AG said:

---

WestHoustonAg79 said:

---

Go pay one of those services like Experian etc that do dark web scans for you. After your head explodes, come back and tell us how much you care about your OP.

---

Same for you. Literally said that data is already out there in the OP you didn't read.

I'm questioning a year to notify me, not the exposure itself.

---

Companies bound by HIPAA have 60 days to notify you of the breach once it's been identified.

https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html#:~:text=These%20individual%20notifications%20must%20be%20provided%20without,covered%20entity%20(or%20business%20associate%2C%20as%20applicable).

Quote:

---

These individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include, to the extent possible, a brief description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity (or business associate, as applicable).

---

also for those that don't know, put a credit FREEZE on your accounts:

www.equifax.com
www.experian.com
www.transunion.com


you're welcome

Yeah, I know the feeling. I got notified recently that someone broke into the data for a company that processes paperwork for car dealerships and my data was exposed. That explains how someone had a fairly detailed employment record for me (pay stub info) and sold it to some idiot that attempted to file for unemployment with my information. That dunce didn't realize Texas sends all the paperwork by snail mail to the home address listed by the employer so I got it and promptly notified the state about the fraudulent filing.

These companies have insurance policies that cover them for a breaches. They have very strict rules about how and what they are told to tell everyone and when. This has to do with liability, payouts, and eventual regulatory fines, depending on what data was stolen.

Most of these companies don't have the ability to fully see what has been stolen quickly and what the real impact is. On top of that, they are understaffed and are more worried about the bottom line (profit) over real world safety of the data. Security is often counterproductive to business if you follow me. Everyone gets annoyed with having to enter the "Code" and their password (two factor authentication) but realistically, most of your passwords have been stolen 10 times. You use the same damn PW over and over anyway.

Couple that with the fact that everyone in America has been in many breaches, and their data is all over the dark web, and you are essentially wide open.

Now start using AI to combine all that stolen data and what could happen?

txyaloo said:

---

LOYAL AG said:

---

WestHoustonAg79 said:

---

Go pay one of those services like Experian etc that do dark web scans for you. After your head explodes, come back and tell us how much you care about your OP.

---

Same for you. Literally said that data is already out there in the OP you didn't read.

I'm questioning a year to notify me, not the exposure itself.

---

Companies bound by HIPAA have 60 days to notify you of the breach once it's been identified.

https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html#:~:text=These%20individual%20notifications%20must%20be%20provided%20without,covered%20entity%20(or%20business%20associate%2C%20as%20applicable).

Quote:

---

These individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include, to the extent possible, a brief description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity (or business associate, as applicable).

---

---

These are my favorite (and i've been through a bunch of OCR/HHS audits.) "Once it's been identified" is often the moving target and people assume the government is good at what they do. How can you report to someone that their data was stolen when you can't really tell what has happened, what was exfiltrated, and what systems are still impacted? That grey area is where companies delay reports and notifications. Their legal IR teams guide them on how best to avoid the million dollar fines from OCR.

Logos Stick said:

---

also for those that don't know, put a credit FREEZE on your accounts:

www.equifax.com
www.experian.com
www.transunion.com


you're welcome

---

Correct. If you are just doing this with Experian, then you are still exposed. I just did this last year with all three and my personal experience is that freezing your credit with Transunion and Experian was easy. Set up account, click button to freeze credit.

Equifax was a nightmare. I had to call India to get my credit frozen and it took 3 hours to get it done.

LOYAL AG said:

---

WestHoustonAg79 said:

---

Go pay one of those services like Experian etc that do dark web scans for you. After your head explodes, come back and tell us how much you care about your OP.

---

Same for you. Literally said that data is already out there in the OP you didn't read.

I'm questioning a year to notify me, not the exposure itself.

---

It's total trash it took a year. I get that. But what would you have done if they notified you then? What do you do when you get these notifications?

WestHoustonAg79 said:

---

LOYAL AG said:

---

WestHoustonAg79 said:

---

Go pay one of those services like Experian etc that do dark web scans for you. After your head explodes, come back and tell us how much you care about your OP.

---

Same for you. Literally said that data is already out there in the OP you didn't read.

I'm questioning a year to notify me, not the exposure itself.

---

It's total trash it took a year. I get that. But what would you have done if they notified you then? What do you do when you get these notifications?

---

Common sense says to check your credit report to locate any fraudulent activity. If you notice some, immediately shut down the affected account.

In the meantime, freeze your credit.

Yeah almost everyone with BCBS was exposed.
My whole family including kids. And yep a year ago.
This has become so commonplace it's ridiculous.

G. hirsutum Ag said:

---

Hate to break it to you but your birthday SSN and address got hacked a long time ago. You just didn't know it

---

A

This is the real answer. I work for the DoW. First year at work…..I was implementing all of these safe guards, Turn my phone off…..then you start running the real dark arts guys in the government …..they then tell you there is only so much you can do…..data can be mined from EVERYWHERE. So just count your blessing that you haven't been knicked.

I worked as a co-op at a major company on the late nineties, never had an interest in pursuing a career there. One day twenty years later, I received a letter from them.

They had a dats breach, a tape with employee data had gone missing. They were offering one year of credit monitoring and identity protection.

I figured it was a tape no one could read, so I didn't bother with it.

YouBet said:

---

Logos Stick said:

---

also for those that don't know, put a credit FREEZE on your accounts:

www.equifax.com
www.experian.com
www.transunion.com


you're welcome

---

Correct. If you are just doing this with Experian, then you are still exposed. I just did this last year with all three and my personal experience is that freezing your credit with Transunion and Experian was easy. Set up account, click button to freeze credit.

Equifax was a nightmare. I had to call India to get my credit frozen and it took 3 hours to get it done.

---

Try UNfreezing it.
It took me nearly a week back in 2017.

I had gotten laid off and my employer wanted to release my company cell phone which I also used for personal use to me. AT&T needed to run a credit history and Experian could not get my credit unfrozen

"1 2 3 4....that's the code to my luggage!"

I wish we would go Singapore on any ID theft perps we do manage to catch. Public canings and hard long prison time. If you are foreign, we just pay some mercy to make you stop by whatever means. Fed up with the theft.

Kenneth_2003 said:

---

YouBet said:

---

Logos Stick said:

---

also for those that don't know, put a credit FREEZE on your accounts:

www.equifax.com
www.experian.com
www.transunion.com


you're welcome

---

Correct. If you are just doing this with Experian, then you are still exposed. I just did this last year with all three and my personal experience is that freezing your credit with Transunion and Experian was easy. Set up account, click button to freeze credit.

Equifax was a nightmare. I had to call India to get my credit frozen and it took 3 hours to get it done.

---

Try UNfreezing it.
It took me nearly a week back in 2017.

I had gotten laid off and my employer wanted to release my company cell phone which I also used for personal use to me. AT&T needed to run a credit history and Experian could not get my credit unfrozen

---

It's possible I'm confusing Equifax with Experian. They sound the same and I can't quite remember which one was the culprit here.

Kenneth_2003 said:

---

YouBet said:

---

Logos Stick said:

---

also for those that don't know, put a credit FREEZE on your accounts:

www.equifax.com
www.experian.com
www.transunion.com


you're welcome

---

Correct. If you are just doing this with Experian, then you are still exposed. I just did this last year with all three and my personal experience is that freezing your credit with Transunion and Experian was easy. Set up account, click button to freeze credit.

Equifax was a nightmare. I had to call India to get my credit frozen and it took 3 hours to get it done.

---

Try UNfreezing it.
It took me nearly a week back in 2017.

I had gotten laid off and my employer wanted to release my company cell phone which I also used for personal use to me. AT&T needed to run a credit history and Experian could not get my credit unfrozen

---

Nah.. I freeze and unfreeze mine all the time when I want to use affirm one of those BNPL services. I use a password manager to auto log into the credit bureau's sites, schedule the thaw, and make the purchase 5 minutes later.

Same for if I finance a car or anything.

I'd be faster if I didn't have 2fa enabled on all the credit bureau sites.

It used to be a pain but they all got pretty good at it not too long after equifax was hacked. Used to have to pay to freeze your accounts unless you were a victim of identity fraud but that's gone now too.