Skip to main content

Notice of NASCO data privacy event

On October 19, 2023, Blue Cross and Blue Shield of North Carolina (Blue Cross NC) learned that NASCO, a claims processing vendor for multiple health plans, experienced a data security incident in which an unauthorized third party accessed the data of customers, including some Blue Cross NC members. The incident involved the third-party MOVEit Transfer tool, which is used to securely exchange files. 

Upon discovering the incident on July 12, 2023, NASCO immediately took steps to secure its systems, launched an investigation conducted by an experienced outside law firm and a leading cybersecurity firm, and notified law enforcement authorities. The investigation determined that, on May 30, 2023, the unauthorized party exploited a vulnerability in the MOVEit software, which resulted in the unauthorized third party accessing the MOVEit Transfer server and acquiring certain data from the MOVEit Transfer server during that time. 

NASCO subsequently undertook a time-consuming and detailed review of the data to determine the contents and to whom that data relates. NASCO confirmed that Anthem Blue Cross Blue Shield (“Anthem”) was impacted by this security incident and notified them accordingly. Anthem then conducted a comprehensive review of the data to determine the impact on any affiliated Blue plans and on October 19, 2023, notified Blue Cross NC that claims information for some members who received care in the Anthem service area between 2015–2018 were impacted by the incident. 

Although the type of information at issue varies for each person, the data impacted by the incident may have included Subscriber ID, claim number, group number, group name, patient account number, provider name, procedure code, claim charges and dates of service. Member names were not included. While NASCO has no evidence that any of the information has been misused, NASCO will mail a notice to impacted individuals beginning the week of November 27, 2023, which will provide information and resources to help protect personal information.

As part of NASCO’s ongoing commitment to protecting personal information and making the security of information its highest priority, they are reviewing and enhancing their existing policies and procedures related to data privacy to reduce the likelihood of a similar future event. In addition to notifying impacted individuals, they are offering credit monitoring and identity protection services.

If you are an impacted health plan member with questions about the incident or how to enroll in Experian identity monitoring services, call 855-873-7643, Monday through Friday between 9 AM and 11 PM, and Saturday and Sunday between 11 AM and 8 PM ET, excluding major US holidays.

For more information, visit the NASCO data security page.