Excellus BlueCross BlueShield Hacked; More Than 10M Affected | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Excellus BlueCross BlueShield Hacked; More Than 10M Affected

September 10, 2015
by Heather Landi
| Reprints

Excellus BlueCross BlueShield, a Rochester, N.Y.-based insurer, was the target of a sophisticated cyber attack of its IT systems that exposed the personal data of more than 10 million people.

The payer and its affiliates disclosed late in the day on Sept. 9 that Excellus discovered the unauthorized access into their computer systems on Aug. 5 and upon further investigation working with cyber security firm Mandiant it was determined that the initial security breach occurred 20 months prior, on December 23, 2013.

This hacking incident marks the latest in a number of high profile cyber attacks on healthcare organizations, including the massive hack on Anthem in February, which exposed approximately 80 million records, as well as a large data breach at UCLA Health Systems in July which potentially affected 4.5 million people.

Excellus president and CEO Christopher Booth said in a message to customers posted on the organization’s website that an investigation determined hackers may have gained unauthorized access to individuals’ information, which could include name, date of birth, Social Security number, mailing address, telephone number, member identification number, financial account information and claims information.

The organization said that its internal investigation has not determine that any such data was removed from its systems and there is no evidence to date that such data has been used inappropriately. The company notified the Federal Bureau of Investigation (FBI) and is coordinating with the bureau’s investigation.

In a recent interview with Healthcare Informatics, Ron Mehring, the senior director, chief information security officer at Dallas-based Texas Health Resources, addressed the information security risks facing healthcare organizations and spoke specifically to the lessons learned from the data breaches at Anthem and UCLA Health.

“Be prepared and have a plan,” Mehring told HCI. “From what I have learned, and Anthem especially has been very transparent on the way they handled those breaches, you need to make sure you have a great response plan and be prepared for that inevitable breach at the tactical and technical level, but also at your executive level. You need to make sure that everyone understands that it could happen and have a plan.”

This latest attack affected about 7 million Excellus members and 3.5 million members of its non-BlueCross BlueShield subsidiary, Lifetime Healthcare Companies. Other affiliates are Lifetime Benefit Solutions, Lifetime Care, Lifetime Health Medical Group, The Med America Companies and Universa Healthcare. In the statement on the company website, Booth said the incident also affected members of other BlueCross BlueShield plans who sought treatment in the 31 county upstate New York service area of Excellus BSBS as well as individuals who do business with the payer and provided their financial information or Social Security number.

Excellus is notifying affected customers and offering identity theft protection services through Kroll, a risk mitigation and response solution company, including credit monitoring through TransUnion as a precaution against reuse of stolen personal data.

As has been previously reported in Healthcare Informatics, it can be very costly for healthcare organizations to recover from a data breach. A survey from Ponemon Institute found that healthcare organizations spent an average of more than $2 million to resolve the consequences of a data breach involving an average of almost more than 2,700 lost or stolen records. Another study from Ponemon and IBM revealed that healthcare emerged as the industry with the highest cost per stolen record with the average cost for organizations reaching as high as $363.

Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



Geisinger, AstraZeneca Partner on Asthma App Suite

Geisinger has partnered with pharmaceutical company AstraZeneca to create a suite of products that integrate into the electronic health record and engage asthma patients and their providers in co-managing the disease.

Analysis: Healthcare Ransomware Attacks Decline in First Half of 2018

In the first half of 2018, ransomware events in major healthcare data breaches diminished substantially compared to the same time period last year, as cyber attackers move on to more profitable activities, such as cryptojacking, according to a new report form cybersecurity firm Cryptonite.

Dignity Health, UCSF Health Partner to Improve the Digital Patient Experience

Dignity Health and UCSF Health are collaborating to develop a digital engagement platform that officials believe will provide information and access to patients when and where they need it as they navigate primary and preventive care, as well as more acute or specialty care.

Report: Digital Health VC Funding Surges to Record $4.9 Billion in 2018

Global venture capital funding for digital health companies in the first half of 2018 was 22 percent higher year-over-year (YoY) with a record $4.9 billion raised in 383 deals compared to the $4 billion in 359 deals in the same time period last year, according to Mercom Capital Group’s latest report.

ONC Roundup: Senior Leadership Changes Spark Questions

The Office of the National Coordinator for Health IT (ONC) has continued to experience changes within its upper leadership, leading some folks to again ponder what the health IT agency’s role will be moving forward.

Media Report: Walmart Hires Former Humana Executive to Run Health Unit

Reigniting speculation that Walmart and insurer Humana are exploring ways to forge a closer partnership, Walmart Inc. has hired a Humana veteran to run its health care business, according to a report from Bloomberg.