Blue Cross and Blue Shield plans, reacting to a series of massive cyberattacks that exposed millions of their customers’ personally identifiable records, will offer free and continuous credit monitoring and fraud protection services to all of their 106 million members.

The move may usher in a new era in credit and fraud monitoring in healthcare and in other industries threatened by ever-increasing data security threats.

Blues plans nationwide will begin providing the services on or before Jan. 1, 2016, according to a news release by the Blue Cross Blue Shield Association.

Health plans and healthcare providers typically offer credit monitoring for one year after they suffer data breaches. The targets of recent large-scale hacks—Anthem, Premera Blue Cross and CareFirst Blue Cross—doubled the coverage period to two years as part of their customer support and legal liability mitigation strategies.

Now all Blues members will be able to “opt-in” for credit monitoring, fraud detection and fraud resolution support that will continue for as long as they remain a Blues plan member.

The new norm
This level of protection is likely to become the new norm in healthcare, said privacy and data security lawyer Kenneth Dort, who heads the technology workgroup in the Chicago office of Drinker Biddle & Reath. “This could be the first of a snowball rolling down hill,” he said.
The healthcare industry has been plagued with 1,265 major data breaches involving the exposure of nearly 135 million individuals’ health records since the federal government began publicly posting breach reports in September 2009.

Meanwhile, improvements in monitoring technology and competition among service providers have crushed credit and fraud monitoring costs. Dort said a major credit reporting agency quoted him a bulk rate of 25 cents per person per year for monitoring the financial activities of individuals involved in larger breaches of 100,000 or more customers.

The Blues’ pioneering offer comes in the wake of the largest healthcare data breach in U.S. history: the loss of some 80 million health plan records to a hacking incident reported in February by Indianapolis-based Anthem.

The effects of that breach spilled beyond Anthem’s 14 Blues plans to other Blues-affiliated plans because of reciprocal payment relationships forged though the Blue Cross and Blue Shield Association’s national Blue Card program.

In March, Premera Blue Cross, based in Mountlake Terrace, Wash., revealed that hackers had compromised its data systems and exposed 11 million members’ records in several states in the Pacific Northwest.

Then in May, CareFirst Blue Cross, covering Maryland, the District of Columbia and Northern Virginia, announced it was the victim of a cyberattack affecting 1.1 million members.

“The point of this protection is to reduce and hopefully eliminate anything bad that is going to happen,” said privacy lawyer Kirk Nahra, a partner in the firm Wiley Rein in Washington. It could split the pool of affected potential plaintiffs and make it harder for their counsel to claim damages.

“If they offer it (credit protection) and you didn’t take it, who’s problem is that?” Nahra said.

Already, the Anthem breach has spawned hundreds of class-action lawsuits. Last month, many of the cases were transferred to and consolidated in the Northern District of California.

Lynn Toops, a lawyer with the Indianapolis firm of Cohen & Malad, which filed one of the Anthem suits, said credit monitoring has limited utility as a legal mitigation strategy. If identity thieves file a phony tax return with someone’s information, she said, “credit card monitoring does nothing for that.”

But Lillian Ablon, a cybersecurity expert with the RAND Corp., said the new consumer protections are savvy marketing and a good legal strategy.

Defending their brands
Many executives are more concerned about the damage done to their companies than the value of the stolen data, said Ablon, who researched the topic for a recent white paper.

“Companies care so much about their brand, their reputation, what others think about them,” Ablon said, and the Blues realize “it’s a matter of when, not if” they’ll be breached. Paying for monitoring helps restore customers’ faith that the companies are watching out for them, she said.

Brand defense is certainly part of the national strategy, according to Doug Porter, the Blues association’s senior vice president of operations and chief information officer.

“A failure in the core operational controls can absolutely tarnish the brand,” Porter said. “You have to take clear aim at the risk in a multitude of approaches.” Porter would not discuss costs or identify vendors, saying contracts with credit and fraud protection services providers are “still in negotiations.”

Plans will be free to deal with other vendors provided they, too, provide the basic credit monitoring functions negotiated by others, he said.

Data security expert Michael McMillan said he’s dubious that the new protections offer much more than good PR.

“This is a commercial, it’s not a solution,” McMillan said. “You really want to do something? Protect the data.”