Cygilant Blog

Security Breach Reported at Health Insurer Excellus 

Posted by Security Steve on Sep 23, 2015

Health insurer Excellus BlueCross BlueShield disclosed that they suffered a large data breach, which could have compromised 10 million customer records. The hackers were able to gain access to information like customer names, mailing addresses, birth dates, Social Security numbers, financial data, and medical claims information. Most of the affected customers live in upstate New York, and Excellus is headquartered in Rochester. The company does not exactly know how far-reaching the damage is. Excellus does not know if subscriber data was removed from the company’s systems. So far, there is no evidence that the stolen data has been used fraudulently.


At risk are also people who have subscribed to other BlueCross BlueShield plans that used Excellus’s services. Affiliated companies include Lifetime Care, Lifetime Benefit Solutions, Lifetime Health Medical Group, Univera Healthcare, and the MedAmerica Companies. The companies are at risk of facing HIPAA violations.


Excellus discovered the breach on August 5th of this year, but the hackers first gain access back in December 23, 2013. The hackers went unnoticed for nearly 18 months, and used that time to gather private subscriber information.


According to the Department of Health and Human Services, the Excellus BlueCross BlueShield hack is one of the top 20 worst healthcare breaches ever reported. So far this year, there have been 18 breaches reported in the healthcare sector. The infamous breach at Anthem affected 80 million BlueCross BlueShield customers. Back in March, 11 million Premera Blue Cross members were affected by a breach. In July, the UCLA Health System breach affected 4.5 million patient records.


Excellus is working with the FBI to investigate how the cyber breach occurred. Affected subscribers will receive a notification via traditional post. Excellus is also offering free identity theft protection services to affected customers for two years. The Better Business Bureau has advised all Excellus subscribers to keep an eye on their personal information for identity theft. Victims of this data breach can take action by placing a fraud alert on their credit reports, if they know that their Social Security number has been stolen. If affected customers know that their credit card data has been access, they can put a freeze on their credit. They should notify the authorities if they believe that their identity has been stolen.


Hackers value the information gathered from a healthcare data breach because it can be sold to identity thieves years after it is stolen. Victims of a credit card data breach can cancel their cards, but victims of a healthcare data breach will have trouble changing their Social Security numbers.


New York Senator Charles Schumer said that Congress should pass the Cybersecurity Information Sharing Act to in an effort to improve how companies share data about cyber threats with the government. Sen. Schumer also says that consumers need to be protected with universal data breach notification standards.

The cyber breach at Excellus yet again demonstrates how hackers are targeting the healthcare industry. The hackers who broke into Excellus’ networks were able to go unnoticed for a year and a half before security experts discovered them. Health insurers need to have a comprehensive cyber security solution in place to prevent cyber breaches such as this one, where hackers have ample time to steal information.


EiQ Networks’ SOCVue security monitoring solution allows provides companies with a dedicated team of cybersecurity experts that can monitor their systems for suspicious activity. The EiQ SOC Team is available 24/7 so companies can respond to a cyber breach quickly -- before it can do any damage to the company’s data, finances, and reputation. With EiQ SOCVue, health insurance companies can stay ahead of cyber breaches, and keep their customers’ private medical and financial data secure.  

Tags: Healthcare, Data Breach, HIPAA, Hacking

Most Recent Posts

Subscribe to Email Updates