(Story updated at 6:50 p.m. ET.)
Excellus Blue Cross and Blue Shield, a Rochester, N.Y.-based insurer, disclosed Wednesday afternoon that it was the victim of a sophisticated cyberattack by hackers who may have gained access to over 10 million personal records.
Christopher Booth, the insurer's CEO, said in a message to customers that Excellus discovered the attack on Aug. 5 and an investigation determined that it occurred on Dec. 23, 2013. The hackers are believed to have had access to customers' names, dates of birth, Social Security numbers, mailing addresses, telephone numbers, member identification, financial account information and claims information, which would likely include medical data.
The attack affected about 7 million Excellus members and 3.5 million members of its non-Blues subsidiary, Lifetime Healthcare Cos. The company is notifying affected customers and offering identity theft protection through Kroll, a risk mitigation and response solution company, including credit monitoring through TransUnion.
The attack falls within the top 20 worst healthcare breaches ever reported by a healthcare organization, according to the HHS breach list, colloquially known as the industry “wall of shame.” Excellus said it has notified the FBI and is cooperating with the bureau's investigation.
“We have already taken aggressive steps to remediate our IT system of issues raised by this cyberattack,” Booth said in a statement.
As with other Blue Cross and Blue Shield affiliates that have been hacked, the incident also affects members of other Blues plans who sought treatment in Excellus' 31-county upstate New York service area. It also affects individuals who do business with the insurer and have provided their financial account information or Social Security numbers.
An investigation by Excellus has not determined that any data was removed from the insurer's systems, nor is there evidence that the compromised data has been used fraudulently.
Blues insurers have recently been the targets of major cyberattacks, including Washington, D.C.-based CareFirst Blue Cross and Blue Shield, Seattle-based Premera Blue Cross and Indianapolis-based Anthem, which was the victim of the largest cyberattack ever disclosed by a healthcare company, affecting about 80 million current and former members.
In recent survey of over 100 payer organizations by consulting firm KPMG, 69% said their systems have been compromised by malware in the past 12-24 months. Only 18% said their networks had not been compromised in the last 1-2 years, despite 44% of payers reporting that they feel near “completely ready” to defend against a concerted cyberattack.
Some experts have hypothesized that the specific goal of the hackers has been to obtain information on federal employees, who make up a up a notable portion of the 106 million Americans covered by various Blue Cross and Blue Shield companies. The breach of clinical data, which may have occurred in this case, can pose a particularly costly threat to insurers and their customers.
But Mac McMillan, an IT healthcare security expert and founder of CynergisTek, an Austin, Texas-based security consultancy, said Blues affiliates are more likely in the spotlight for these attacks because they’ve probably been proactive in looking for past breaches following the Anthem attack. It’d be unfair to speculate that BCBS affiliates are a target for hackers or less secure, he said.
“I don’t think this is an anomaly or this should be a surprise to anybody,” McMillan said. “I think the Blues are finding it because the Blues have gotten their nose bloodied and they’re looking to address it and finding it now. Every insurer should be looking and i’m willing to bet there’s a lot more we don’t know about.”