Excellus BlueCross BlueShield (BCBS) New York, reveal that malicious actors had access to its IT systems for more than a year and a half.
The attackers gained access to the details of members, patients and other individuals Excellus does business with. According to the organization, the breach also impacts members of other Blue Cross Blue Shield plans who sought treatment in the 31 county upstate New York service area of Excellus BCBS. It is estimated that roughly 10 million individuals are affected.
Following news of data breaches suffered by health insurers Anthem, CareFirst and Premera, Excellus called in security firm Mandiant to conduct an analysis of its systems. Mandiant informed Excellus on August 5 that its network had been penetrated by sophisticated attackers. The investigation revealed that the malicious hackers initially gained access to the organization’s systems on December 23, 2013.
The incident is being investigated by Excellus in cooperation with Mandiant and the FBI.The initial investigation shows that the attackers might have accessed names, addresses, phone numbers, dates of birth, social security numbers, member IDs, financial account data, and medical claims information. Excellus noted that the type of information potentially compromised for each individual depends on their relationship with the organization.
“Our investigation has not determined that any information was removed from our systems and there is no evidence to date that any such information has been used inappropriately,”Excellus said in a statement.
The insurer is working on determining who is affected by the breach and will notify them by mail. Those impacted by the cyberattack will be offered two years of free identity protection services, including credit monitoring. Customers have been warned about malicious emails that may purport to come from Excellus — the company has highlighted that it will not send any emails about the attack.