NY Health Provider Excellus Discloses Data Breach Dating to 2013

Excellus BlueCross BlueShield, a large health care provider in New York state, says it was hit by an attack that began in 2013 and wasn’t discovered until last month, resulting in the compromise of members’ personal information, including Social Security numbers, addresses, financial and account information.

The company did not specify how many people potentially are affected by the breach, but said it includes members, patients, and possibly other people who did business with Excellus. The attackers first compromised Excellus’s network in December 2013, but the company only discovered the attack in early August after bringing in Mandiant to do a security assessment of its networks.

Excellus had seen the other breaches affecting health care companies and decided to have Mandiant check out their network to see if anything was amiss. It was.

“On August 5, 2015, Excellus BlueCross BlueShield learned that cyberattackers had executed a sophisticated attack to gain unauthorized access to our Information Technology (IT) systems.  Our investigation further revealed that the initial attack occurred on December 23, 2013. As part of our own investigation, we notified the FBI and are coordinating with the Bureau’s investigation into this attack,” Excellus President and CEO Christopher Booth said in a statement.

In addition to Excellus members and patients, people from other BlueCross and BlueShield plans who were treated in the 31 county area served by Excellus may be affected by the breach, as well. While Excellus officials said that the attackers accessed a wide swath of personal information, they said there was no evidence yet that any data was removed from the network.

“Our data was encrypted, but the attackers gained unauthorized administrative access to our systems, therefore allowing them to potentially access personal information,” the FAQ provided by the company says.

The Excellus breach follows the massive compromise at Anthem, one of the larger health care providers in the United States. That breach ended up affecting nearly 80 million Anthem customers, as well as millions of non-Anthem members.

Suggested articles