Active breach tracker IL Disclosed April 13, 2025

Blue Cross and Blue Shield of Oklahoma Data Breach 2025: 1,020 Affected · Unauthorized Access/Disclosure · IL. Filed With HHS OCR. What To Do.

Blue Cross and Blue Shield of Oklahoma (BCBSOK), a division of HCSC, disclosed unauthorized access to its Blue Access for Members (BAM) online portal affecting 1,020 individuals. The intrusion ran from November 8, 2024 to March 5, 2025 and was detected on February 11, 2025. BCBSOK filed with HHS OCR on April 13, 2025 and is offering 12 months of complimentary Experian IdentityWorks monitoring.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Nov 8, 2024

Unauthorized access to the Blue Access for Members (BAM) portal begins

Feb 11, 2025

BCBSOK detects suspicious activity on the BAM portal

Mar 5, 2025

Unauthorized access window ends after BCBSOK closes off the activity on the BAM system

Apr 13, 2025

BCBSOK files HIPAA breach report with the HHS Office for Civil Rights for 1,020 individuals and mails notification letters to affected current and former members

Apr 13, 2025

BCBSOK publishes the BAM data incident substitute notice on bcbsok.com

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth

02

Health records

Don't expire and can't be reissued

Medical record number

03

Contact & insurance

Phishing + targeted scams

Name Address Telephone and fax numbers Email address Health plan beneficiary number Account number Service dates Medical and dental service and billing information
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Blue Cross and Blue Shield of Oklahoma (BCBSOK), the Oklahoma division of Chicago-based Health Care Service Corporation (HCSC), disclosed unauthorized access to its Blue Access for Members (BAM) online portal that affected 1,020 individuals. According to BCBSOK’s own substitute notice, suspicious activity on the BAM system was detected on February 11, 2025, and the investigation determined that an unauthorized party may have viewed protected health information and personally identifiable information on member accounts at various points between November 8, 2024 and March 5, 2025. BCBSOK filed its HIPAA breach report with the U.S. Department of Health and Human Services Office for Civil Rights on April 13, 2025 and is offering affected members 12 months of complimentary Experian IdentityWorks monitoring. The OCR portal categorizes the incident as Unauthorized Access/Disclosure at a Health Plan covered entity in Illinois (HCSC’s home state).

Timeline

  • November 8, 2024 — Unauthorized access to member accounts in the Blue Access for Members (BAM) portal begins, based on the period BCBSOK identified during its investigation. date: 2025-04-13
  • February 11, 2025 — BCBSOK detects suspicious activity on the BAM system and begins its internal investigation. date: 2025-04-13
  • March 5, 2025 — End of the period during which unauthorized access could have occurred. BCBSOK takes steps to close off the activity on the BAM system. date: 2025-04-13
  • April 13, 2025 — BCBSOK files its breach report with the HHS Office for Civil Rights covering 1,020 individuals, mails individual notification letters to affected current and former members, and publishes its substitute notice on bcbsok.com.

What was exposed

BCBSOK’s notice describes the information that the unauthorized party may have viewed on member BAM accounts as including, in varying combinations per individual:

date: 2025-04-13

  • Name date: 2025-04-13
  • Address date: 2025-04-13
  • Date of birth date: 2025-04-13
  • Telephone and fax numbers date: 2025-04-13
  • Email address date: 2025-04-13
  • Medical record number date: 2025-04-13
  • Health plan beneficiary number date: 2025-04-13
  • Account number date: 2025-04-13
  • Service dates date: 2025-04-13
  • Medical and dental service and billing information

BCBSOK has not publicly indicated that Social Security numbers, driver’s license numbers, or financial account credentials were involved, and no attacker has been publicly identified. The OCR portal lists the incident location as “Other,” consistent with member-portal access rather than a server or network compromise.

What BCBSOK is offering

BCBSOK is offering 12 months of complimentary identity monitoring through Experian IdentityWorks to affected current and former members who receive a notification letter. The letter contains an enrollment code and instructions for activating the service. BCBSOK also advises affected members to review their Explanation of Benefits (EOB) statements for any unfamiliar services and to call the number on their member ID card if they spot anything unusual.

Class-action litigation

No putative class action targeting the BCBSOK BAM incident has been publicly docketed as of this writing. Several plaintiffs’ firms have publicly investigated other 2025 BCBS-system incidents (including the larger Conduent vendor breach that separately affected BCBSOK members), but those are distinct events from the BAM portal access described here. This page will be updated if a complaint specific to the BAM incident is filed.

What to do if you may be affected

  1. Enroll in the Experian IdentityWorks monitoring BCBSOK is offering if you receive an enrollment code in your notification letter. It is free for 12 months and a reasonable baseline given the data elements involved.
  2. Freeze your credit at all three nationwide consumer reporting agencies (Equifax, Experian, TransUnion). It is free, reversible, and the single highest-leverage step against new-account identity fraud, even when Social Security numbers are not confirmed to be in the dataset.
  3. Review your Explanation of Benefits (EOB) statements. Because the exposed data includes service dates and billing information, the most likely downstream harm is medical-identity theft (someone using your insurance to obtain care or prescriptions). Flag any unfamiliar provider, date, or service to BCBSOK using the number on your member ID card.
  4. Change your BAM password and turn on multi-factor authentication. The intrusion targeted the member portal directly. If you reuse passwords across sites, change them on those sites as well and use a password manager.
  5. Keep the notification letter. It documents your standing for any future regulatory action or class proceeding related to this specific incident.

Sources on this page

date: 2025-04-13

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.