Breach Notification , Breach Response , Data Breach
Excellus BlueCross BlueShield Hacked Information on 10.5 Million Individuals Potentially Exposed
The healthcare sector has been hit by yet another massive hacker attack. Excellus BlueCross BlueShield says a cyber-attack that began in December 2013 wasn't discovered until Aug. 5, 2015; it potentially exposed information on 10.5 million individuals.
See Also: More Threat Vectors, More Security & Compliance Challenges
The attack was discovered after Excellus, which is based in Rochester, N.Y., hired cybersecurity firm Mandiant to conduct a forensic assessment of the company's IT systems in the wake of major cyber-attacks on other health insurers, including Anthem Inc., Premera Blue Cross, and CareFirst Blue Cross Blue Shield..
The 10.5 million affected includes 7 million health plan members and 3.5 million individuals whose data was contained in systems of Excellus' holding company, the Lifetime Healthcare Companies, a Excellus spokesman says. Among the affected individuals are members of other Blue Cross Blue Shield plans who sought treatment in the 31-county upstate New York service area of Excellus. "Individuals who do business with us and provided us with their financial account information or Social Security number are also affected," according to an Excellus statement.
Although the affected data was encrypted, the hackers gained access to administrative controls, making the encryption moot, a company spokesman says.
"We are fully cooperating with the FBI's investigation, Excellus says in its statement. "Our investigation has not determined that any data was removed from our systems. To date there is no evidence that any data has been used inappropriately. The security of personal information is a top priority, and we are taking proactive steps to address this issue."
Information potentially exposed may include individuals' names, addresses, birthdates, Social Security numbers, member IDs, financial account information, claims data and clinical information, the spokesman says.
The company is offering those affected two years of free credit monitoring and identity theft protection services.
In addition, Excellus says it is working closely with Mandiant to conduct a comprehensive investigation of the incident. "We have moved quickly to close the vulnerability, remediate our IT systems and to strengthen and enhance the security of our IT systems moving forward."
(Look for updates on this developing story).