Security Experts:

Connect with us

Hi, what are you looking for?



Excellus Data Breach Impacts 10 Million

Excellus BlueCross BlueShield (BCBS), a non-profit health insurer based in Rochester, New York, revealed on Thursday that malicious actors had access to its IT systems for more than a year and a half.

Excellus BlueCross BlueShield (BCBS), a non-profit health insurer based in Rochester, New York, revealed on Thursday that malicious actors had access to its IT systems for more than a year and a half.

The attackers gained access to the details of members, patients and other individuals Excellus does business with. According to the organization, the breach also impacts members of other Blue Cross Blue Shield plans who sought treatment in the 31 county upstate New York service area of Excellus BCBS. It is estimated that roughly 10 million individuals are affected.

Following news of data breaches suffered by health insurers Anthem, CareFirst and Premera, Excellus called in security firm Mandiant to conduct an analysis of its systems. Mandiant informed Excellus on August 5 that its network had been penetrated by sophisticated attackers. The investigation revealed that the malicious hackers initially gained access to the organization’s systems on December 23, 2013.

The incident is being investigated by Excellus in cooperation with Mandiant and the FBI.

The initial investigation shows that the attackers might have accessed names, addresses, phone numbers, dates of birth, social security numbers, member IDs, financial account data, and medical claims information. Excellus noted that the type of information potentially compromised for each individual depends on their relationship with the organization.

“Our investigation has not determined that any information was removed from our systems and there is no evidence to date that any such information has been used inappropriately,” Excellus said in a statement.

The insurer is working on determining who is affected by the breach and will notify them by mail. Those impacted by the cyberattack will be offered two years of free identity protection services, including credit monitoring. Customers have been warned about malicious emails that may purport to come from Excellus — the company has highlighted that it will not send any emails about the attack.

Other Blue Cross Blue Shield insurers also admitted this year that their IT systems had been breached. The details of 1.1 million people were exposed in the breach suffered by CareFirst, 11 million were affected by the Premera incident, and up to 80 million had their records compromised due to the hacker attack on Anthem.

Excellus BCBS says it does not have sufficient information to determine if the attacks are connected.

In the case of Anthem, the company is believed to have been targeted by a sophisticated espionage group dubbed by Symantec “Black Vine.” The threat actor, linked to China, has targeted numerous high-profile organizations in the United States since 2012.

“The Excellus breach is just the latest example of how hackers are able to avoid detection and go unnoticed within a network for long periods of time. While the exact details of how the breach occurred have not yet been released, the responsibility still lies with the hacked organization to do a better job of quickly detecting and responding to these types of attacks,” Mike Hamilton, VP of product at Ziften, commented on the Excellus breach. “No attack should go undetected for extended lengths of time, in this case well over a year. Security teams need to shore up their existing security infrastructure with tools designed to provide the intelligence required to shut these hackers down and limit the damage.”

IBM reported in May that the cost of data breaches was trending upward and the healthcare industry was named the most profitable target for malicious actors. The study showed that the average cost would be as high as $363 per stolen record in the case of healthcare organizations.

Related Reading: Why Healthcare Security Matters

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...