Weird emails from Independence Blue Cross via its IT outsourcing partners: showing yet more health IT industry trust-destroying incompetence

In the past week I've received two emails that made me highly suspicious of medical/insurance identity theft.

The emails came from Independence Blue Cross, ibx.com, into the email account I receive normal mailings from them, and seemed to indicate someone had created an unauthorized user account (I redacted my email address below):

Aug. 5, 2016:

From: noreply@ibx.com
Date: Fri, Aug 5, 2016 at 7:19 PM
Subject: User Created
To:
[my email address redacted]

User Created With UserId - userId20392, Password - password20392

July 27, 2016: 

From: noreply@ibx.com
Date: Wed, Jul 27, 2016 at 1:59 PM
Subject: User Created
To: [my email address redacted]

User Created With UserId - userId1546, Password - S04bd9u3tR

These userid's and passwords did not work at ibx.com's website, but my concern was that, if these were false accounts, the creator could have logged in and changed the password.

After the first email I left a message with the IBX fraud line, but heard nothing in response.

The metadata (IP headers) of the messages looked like this (I redacted my email address):

Delivered-To: [my email address redacted]
Received: by 10.237.44.68 with SMTP id f62csp1992388qtd;
Fri, 5 Aug 2016 16:20:27 -0700 (PDT)
X-Received: by 10.36.77.145 with SMTP id l139mr7340323itb.19.1470439227798;
Fri, 05 Aug 2016 16:20:27 -0700 (PDT)
Return-Path:
Received: from cnxsgusgma01.cnxuat.com ([216.183.110.200])
by mx.google.com with ESMTP id q123si19839234iof.67.2016.08.05.16.20.27
for ;
Fri, 05 Aug 2016 16:20:27 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning noreply@ibx.com does not designate 216.183.110.200 as permitted sender) client-ip=216.183.110.200;
Authentication-Results: mx.google.com;
spf=softfail (google.com: domain of transitioning noreply@ibx.com does not designate 216.183.110.200 as permitted sender) smtp.mailfrom=noreply@ibx.com
Received: from IBCSGUSGAA01.cnxuat.com ([192.168.230.147]) by cnxsgusgma01.cnxuat.com with Microsoft SMTPSVC(8.5.9600.16384);
Fri, 5 Aug 2016 19:19:39 -0400
Received: from ibcsgusgaa01.cnxuat.com ([127.0.0.1]) by IBCSGUSGAA01.cnxuat.com with Microsoft SMTPSVC(8.5.9600.16384);
Fri, 5 Aug 2016 19:19:58 -0400
From: noreply@ibx.com
To: [my email address redacted]
Message-ID: <1180377472 .11989.1470439198021.javamail.ibcsgusgaa01="" ibcsgusgaa01="">
Subject: User Created
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Return-Path: noreply@ibx.com
X-OriginalArrivalTime: 05 Aug 2016 23:19:58.0024 (UTC) FILETIME=[E1DD4C80:01D1EF6F]
Date: 5 Aug 2016 19:19:58 -0400

User Created With UserId - userId20392, Password - password20392

After the second, I called IBX.  I was told it is a "malfunction", that these emails were not anything nefarious, other subscribers were affected, and that it "would be corrected soon."

I had already looked up the "Received from" header cnxsgusgma01.cnxuat.com [216.183.110.200]:

# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/public/whoisinaccuracy/index.xhtml
#
#
# The following results may also be obtained via:
# https://whois.arin.net/rest/nets;q=216.183.110.200?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
#

Connecture, Inc. INFLOW-7524-7780 (NET-216-183-110-192-1) 216.183.110.192 - 216.183.110.255
Inflow Inc. INFL-AR-1 (NET-216-183-96-0-1) 216.183.96.0 - 216.183.127.255

Other IP's in the header appear to be of local (internal) workstations at the companies involved.

Who are these mysterious companies from which these emails seem to have originated?


Connecture, Inc:
http://www.connecture.com/the-connecture-difference/

Health insurance has entered the consumer age. Be ready. (We are.)

While there is almost universal agreement that health insurance will predominantly be distributed online in the near future, few American consumers have yet to experience it. In fact, most Americans have very little experience shopping for health insurance at all – let alone while making sense of numerous and often deceptively similar plans.

All of that is changing. Reform, the health insurance industry’s efforts to become more efficient, and Americans’ affinity for doing business online are all converging in the form of health insurance exchanges that present users with unprecedented freedom of choice.

Choice, of course, leads to questions. Which plans does my doctor participate in? Do they address my health needs? What about my family and my children? What happens if I need to go to the emergency room? How much will it cost – not just this month but year round? Am I eligible for a subsidy, and if so how much? In short, what’s the best plan for me and my family?

In health insurance, there are no cookie-cutter answers. That’s why health insurance exchanges and online distribution systems must do far more than enable consumers to enroll for coverage.

That’s where we come in. For more than 15 years we’ve focused on a singular goal: To create online systems and exchanges that empower Americans to choose the right health insurance plan online with confidence the first time, and every time.

Inflow Inc.
http://www.bloomberg.com/research/stocks/private/snapshot.asp?privcapId=105889

As of January 4, 2005, Inflow, Inc. was acquired by SunGard Availability Services, Inc. Inflow, Inc. provides facilities-based information technology outsourcing solutions to companies with critical business and network applications. The company offers its services in three primary lines: application hosting and management, business continuance and disaster recovery, and enterprise data-center management. Its application hosting and management services include application hosting and colocation, multi homed internet access, security services, application and infrastructure management, and network and system development. The company’s business continuance and disaster recovery services consist of business continuance planning/consulting, managed storage services, and content distribution services. Inflow’s enterprise data-center management services comprise onsite data-center management, operational support system management, data-center development, data-center audit services, data-center migration assistance, and business process documentation. Inflow, Inc. was founded in 1997 and was based in Thornton, Colorado.

Emphases mine.

So, perhaps millions of Independence Blue Cross customers are receiving emails that would reasonably cause suspicion in this day and age for identity theft, from companies that gloriously promise:

To create online systems and exchanges that empower Americans to choose the right health insurance plan online with confidence the first time, and every time.

To provide facilities-based information technology outsourcing solutions to companies with critical business and network applications

Confidence is the last thing the emails I received on behalf of ibx.com inspire in me.

If this information is being spilled (to the subscriber's own email account, but who knows where else?), I can only fear that other information is not quite secure, and wonder if these "ghost accounts" are just a glitch, or insiders spying on PHI, or other effects of either massive bugs or hacker attacks.

IT companies and companies that outsource their critical IT to others (including health IT makers and health IT buyers such as hospitals) - and the IT service providers themselves - need to really, really get their houses in order.

They need to stop beta-testing buggy software upon their customers (or live patients in the case of clinical IT).

Problems like this reflect significant and trust-busting incompetence, at best.

-- SS