Security Experts:

Excellus Data Breach Impacts 10 Million

Excellus BlueCross BlueShield (BCBS), a non-profit health insurer based in Rochester, New York, revealed on Thursday that malicious actors had access to its IT systems for more than a year and a half.

The attackers gained access to the details of members, patients and other individuals Excellus does business with. According to the organization, the breach also impacts members of other Blue Cross Blue Shield plans who sought treatment in the 31 county upstate New York service area of Excellus BCBS. It is estimated that roughly 10 million individuals are affected.

Following news of data breaches suffered by health insurers Anthem, CareFirst and Premera, Excellus called in security firm Mandiant to conduct an analysis of its systems. Mandiant informed Excellus on August 5 that its network had been penetrated by sophisticated attackers. The investigation revealed that the malicious hackers initially gained access to the organization’s systems on December 23, 2013.

The incident is being investigated by Excellus in cooperation with Mandiant and the FBI.

The initial investigation shows that the attackers might have accessed names, addresses, phone numbers, dates of birth, social security numbers, member IDs, financial account data, and medical claims information. Excellus noted that the type of information potentially compromised for each individual depends on their relationship with the organization.

“Our investigation has not determined that any information was removed from our systems and there is no evidence to date that any such information has been used inappropriately,” Excellus said in a statement.

The insurer is working on determining who is affected by the breach and will notify them by mail. Those impacted by the cyberattack will be offered two years of free identity protection services, including credit monitoring. Customers have been warned about malicious emails that may purport to come from Excellus -- the company has highlighted that it will not send any emails about the attack.

Other Blue Cross Blue Shield insurers also admitted this year that their IT systems had been breached. The details of 1.1 million people were exposed in the breach suffered by CareFirst, 11 million were affected by the Premera incident, and up to 80 million had their records compromised due to the hacker attack on Anthem.

Excellus BCBS says it does not have sufficient information to determine if the attacks are connected.

In the case of Anthem, the company is believed to have been targeted by a sophisticated espionage group dubbed by Symantec “Black Vine.” The threat actor, linked to China, has targeted numerous high-profile organizations in the United States since 2012.

“The Excellus breach is just the latest example of how hackers are able to avoid detection and go unnoticed within a network for long periods of time. While the exact details of how the breach occurred have not yet been released, the responsibility still lies with the hacked organization to do a better job of quickly detecting and responding to these types of attacks,” Mike Hamilton, VP of product at Ziften, commented on the Excellus breach. “No attack should go undetected for extended lengths of time, in this case well over a year. Security teams need to shore up their existing security infrastructure with tools designed to provide the intelligence required to shut these hackers down and limit the damage.”

IBM reported in May that the cost of data breaches was trending upward and the healthcare industry was named the most profitable target for malicious actors. The study showed that the average cost would be as high as $363 per stolen record in the case of healthcare organizations.

Related Reading: Why Healthcare Security Matters

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.