Excellus BCBS Breached, 10 Million Customers’ Records Affected

Excellus BlueCross BlueShield, an upstate New York health insurer revealed that its computer systems and those belonging to related companies and affiliates had been breached in a sophisticated cyber attack. The breach potentially puts the records of over 10 million members, most of whom are upstate New Yorkers, at risk.

In a revelation on Wednesday, Excellus BlueCross BlueShield announced that it and its affiliates had been “targeted in a very sophisticated cyber attack”, reports Reuters.

The potential loss of data includes – names, addresses, Social Security numbers, medical information, telephone numbers and more.

Those affected in the breach are:

  • 7 million Excellus members.
  • 5 million members by affiliated Lifetime Healthcare Companies.

Related Article: Survey Shows 81% of Healthcare Organizations Suffered Cyberattacks

Excellus said in a statement that it while it had initially learned of the cyber-attack on 5 August from hired cybersecurity experts who did a Digital Forensics Assessment, the initial attack took place in 2013.

“On August 5, 2015, Excellus BlueCross BlueShield learned that cyber attackers had executed a sophisticated attack to gain unauthorized access to our Information Technology (IT) systems.  Our investigation further revealed that the initial attack occurred on December 23, 2013,” read a statement from Christopher Booth, the President and CEO of Excellus.

“As part of our own investigation, we notified the FBI and are coordinating with the Bureau’s investigation into this attack,” the statement added.

A spokesman for Excellus said although it is yet unknown if the malicious hackers stole personal information, Excellus and its corporate partner – Lifetime Healthcare are offering two years’ worth free credit monitoring to all those affected.

While there are no reports or indication that any potentially stolen information has been misused by attackers, the move to offer free credit monitoring is seen as a precaution for identity protection.

“The investigation has not determined that any such data was removed from our systems, and there is no evidence to date that any data has been used inappropriately,” Excellus spokesman Jim Redmond said.

The two companies revealed they have already begun mailing letters to members who are likely to be affected and noted the process to send letters may take up to November to complete.

Related Article: Millions of Federal Data Breach Victims Still in the Dark

In an emailed statement to Reuters, the FBI confirmed that it had been notified of the breach and is currently working with the affected companies.

“The FBI is investigating a cyber intrusion involving Lifetime Healthcare Companies, which include Excellus BlueCross BlueShield, and will work with the firms to determine the nature and scope of the matter,” the FBI added.