Skip to Content (Press Enter)

Protection provided by vendor to affected members of Arkansas Blue Cross and Blue Shield following vendor ransomware attack

August 23, 2022

Arkansas Blue Cross and Blue Shield has learned a vendor that conducts customer satisfaction survey services for quality improvement purposes with some of our members has been the target of a ransomware attack. This incident potentially allowed hackers access to 8,871 members’ names, addresses, dates of birth, ID number, diagnostic code(s), procedural code(s), gender, and certain provider information. No Social Security number or financial information was accessed by the cyberattackers.

The North Highland Company LLC (“North Highland”) provides professional and consulting services and received member information from Arkansas Blue Cross in connection with satisfaction surveys conducted by North Highland, including a predictive analytics project to help determine how to improve the quality of programs and services offered to members.

Although there is no indication that the information has been misused, we take the protection and proper use of personal information very seriously. North Highland is notifying affected current (and former) members by letter (August 23, 2022) and providing them 12 months of free identity detection and resolution of identity theft and credit monitoring services through Experian's® IdentityWorksSM. Detailed instructions on how to sign up will be included in the letter.

What happened

On June 6, 2022, North Highland discovered that it had been the victim of a ransomware attack. Upon discovering the attack, North Highland initiated an investigation with the assistance of multiple outside security experts. Later, in the course of that investigation, North Highland determined that the attackers had accessed and stolen files containing personal information of some Arkansas Blue Cross members. North Highland informed Arkansas Blue Cross of the compromise of this information on June 30, 2022. The investigation has determined that the cybercriminals first accessed the server containing this information on or around May 26, 2022.

What is being done

North Highland is working to respond to this event appropriately. North Highland has notified law enforcement of the attack and has undertaken technical remedial measures to help prevent an event like this from happening in the future.

It is important to note that the ransomware attack did not involve any Arkansas Blue Cross computer system or data. This entire incident was limited to North Highland and its computers and records. North Highland no longer provides predictive analytics services to Arkansas Blue Cross.

Our goal is to maintain the privacy and security of our members’ personal information and help protect members from any harm from the North Highland ransomware attack. We take the protection of our members' information seriously and are committed to helping our members through this incident.