New York-based health insurer Excellus BlueCross BlueShield revealed Wednesday (Sept. 9) that its computer systems have been hacked, possibly exposing the data of more than 10 million people.
The insurer said that despite its efforts to safeguard the personal information of its members, it fell victim to a “very sophisticated cyberattack” on Aug. 5, with an initial attack taking place on Dec. 23, 2013.
The culprits gained unauthorized access to Excellus’ IT systems, possibly putting the following personal information of members at risk: name, date of birth, Social Security number, mailing address, telephone number, member identification number, financial account information and claims information.
“This incident also affected members of other Blue Cross Blue Shield plans who sought treatment in the 31 county upstate New York service areas of Excellus BCBS. Individuals who do business with us and provided us with their financial account information or Social Security number are also affected,” Excellus BlueCross BlueShield’s President and CEO Christopher Booth said in a statement about the breach.
While the company confirmed the investigation it is conducting with cybersecurity firm Mandiant has not shown that any of the data was removed from its systems, Excellus is offering its members two years of free credit monitoring and identity theft protection services at no charge.
The attack on Excellus is now part of Department of Health and Human Services’ list of the Top 20 worst health care breaches ever reported, known in the health care industry as the “wall of shame,” The Hill reported yesterday (Sept. 10).
This year alone has seen a string of high-profile health care cyberattacks on BlueCross BlueShield affiliated insurers. One of the most notable was the data breach at Anthem, the country’s second-biggest insurer, which left 78.8 million people vulnerable.
Premera Blue Cross disclosed in March that their network was hacked, leaving the financial and medical records of 11 million customers at risk. The firm confirmed the attack was first discovered in late January but that the system seems to have been first compromised in May 2014.
In May, CareFirst BlueCross BlueShield, which offers health insurance in Maryland, Washington, D.C., and Virginia, also said it fell victim to a data breach that dated back to June 2014, when hackers compromised the data of approximately 1.1 million current and former members who registered to use the company’s websites.
For more on the digital identity ecosystem, click here to take a look at our Identity Tracker, which helps identify the issues and trends that arise around the digital identity ecosystem.