Excellus BlueCross BlueShield, one of the larger health care providers based out of New York, confirmed on Thursday that the company was hit by a cyber attack that began back in 2013 and wasn’t discovered until early last month, resulting in patients information being stolen including names, date of birth, Social Security numbers, mailing addresses, telephone numbers, member identification numbers, financial account information and claims information.
The health insurer did not specify an exact number of possibly affected patients (reports remain at 10 million), but they said the breach includes members, patients and others who may have done business with Excellus in the past. Attackers first compromised Excellus’s network back in December 2013, when researchers at Mandiant brought light upon the attack in early August after performing a security assessment on their networks.
Due to the recent spike in breaches affecting health care providers across the nation, Excellus thought they should have their network scanned, only to have Mandiant uncover a deadly breach.
“On August 5, 2015, Excellus BlueCross BlueShield learned that cyberattackers had executed a sophisticated attack to gain unauthorized access to our Information Technology (IT) systems,” Excellus President and CEO Christopher Booth said in a statement. “Our investigation further revealed that the initial attack occurred on December 23, 2013. As part of our own investigation, we notified the FBI and are coordinating with the Bureau’s investigation into this attack.”
Alongside the millions of affected Excellus members and patients, people from other BlueCross and BlueSheild locations who were treated in one of the 31 county area’s served by Excellus may have also been affected two year long breach. Though Excellus officials did confirm attackers gained access to a large swath of patient information, they said there was zero evidence that any information was removed from the network.
“Our data was encrypted, but the attackers gained unauthorized administrative access to our systems, therefore allowing them to potentially access personal information,” Excellus wrote in their FAQ regarding the data breach.
Excellus can add themselves to the massive list of hacked health care providers including Anthem, the number of largest health care provider in the United States, alongside Premera Blue Cross and CareFirst, two massive health care providers
“The FBI is investigating a cyber intrusion involving Lifetime Healthcare Companies, which include Excellus BlueCross BlueShield, and will work with the firms to determine the nature and scope of the matter,” the FBI told reuters in a statement.
As the company is currently under investigation details remain scarce. We will keep you updated on the Excellus breach!