Breach Notification , Breach Response , Data Breach

Excellus BlueCross BlueShield Hacked

Information on 10.5 Million Individuals Potentially Exposed
Excellus BlueCross BlueShield Hacked

The healthcare sector has been hit by yet another massive hack attack. Health insurer Excellus BlueCross BlueShield says a cyber-attack that began in December 2013 wasn't discovered until Aug. 5, 2015. The breach potentially exposed personal information on 10.5 million of its health plan members and other individuals.

See Also: Creating a User-Centric Authentication and Identity Platform for the Healthcare Industry

The attack was discovered after Excellus, which is based in Rochester, N.Y., hired cybersecurity firm Mandiant to conduct a forensic assessment of the company's IT systems in the wake of multiple health insurers - including Anthem, Premera Blue Cross, and CareFirst Blue Cross Blue Shield - belatedly discovering that their systems had been breached and member data stolen.

In the case of the Excellus breach, the 10.5 million affected individuals include 7 million health plan members and 3.5 million individuals whose data was contained in systems of Excellus' holding company, the Lifetime Healthcare Companies, a Excellus spokesman says. Among the affected individuals are members of other Blue Cross Blue Shield plans who sought treatment in the 31-county upstate New York service area of Excellus. "Individuals who do business with us and provided us with their financial account information or Social Security number are also affected," according to an Excellus statement.

Although the affected data was encrypted, the hackers gained access to administrative controls, making the encryption moot, a company spokesman says.

FBI Confirms Investigation

The FBI has confirmed that it has launched a related investigation. "The FBI is investigating a cyber intrusion involving Lifetime Healthcare Companies, which include Excellus BlueCross BlueShield, and will work with the firms to determine the nature and scope of the matter," the FBI says in a statement.

The FBI adds: "Individuals contacted by the companies should take steps to monitor and safeguard their personally identifiable information and report any suspected instances of identity theft to the FBI's Internet Crime Complaint Center."

Excellus says attackers may have gained access to member information - including names, addresses, birthdates, Social Security numbers, health plan ID numbers, financial account information, as well as claims data and clinical information - although says it has seen no evidence that the information has been used for fraudulent purposes.

"We are fully cooperating with the FBI's investigation," Excellus says in its statement. "Our investigation has not determined that any data was removed from our systems. To date there is no evidence that any data has been used inappropriately. The security of personal information is a top priority, and we are taking proactive steps to address this issue."

The company, which serves 31 upstate New York counties, is offering breach victims two years of free credit monitoring and identity theft monitoring services.

In addition, Excellus says it is continuing to work with Mandiant to finish a comprehensive investigation into the breach. "We have moved quickly to close the vulnerability, remediate our IT systems and to strengthen and enhance the security of our IT systems moving forward."

The Excellus breach discovery follows the FBI issuing breach-related warnings to the healthcare sector. "The FBI works extensively with private industry to raise awareness of cyber threats and earlier this year briefed representatives of the healthcare industry, including LTHC/Excellus BCBS," the FBI says. "Recently the companies quickly notified the FBI after observing suspicious network activity. Such action is essential as it allows cyber experts to preserve evidence and work with incident responders to help recover networks. Cyber intrusions are a significant threat, and the FBI will continue to devote substantial resources and efforts to bring those responsible to justice."


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

Marianne Kolbasuk McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network