On Wednesday, health insurance company Excellus BlueCross/BlueShield (which primarily covers patients in the upstate New York area) confirmed that hackers managed to breach network security at the company and its various affiliates. This resulted in the theft of confidential data for 10.5 million people.
On the website Excellusfacts.com, the company posted a message from CEO Christopher Booth, admitting that “Excellus BlueCross BlueShield was targeted in a very sophisticated cyberattack.”
Excellus says it first discovered the hack on Aug. 5, when it learned that “cyberattackers had executed a sophisticated attack to gain unauthorized access to our Information Technology (IT) systems.” The initial breach occurred in December 2013.
What information did the hackers steal? Excellus says it “could include name, date of birth, Social Security number, mailing address, telephone number, member identification number, financial account information and claims information. This incident also affected members of other Blue Cross Blue Shield plans who sought treatment in the 31 county upstate New York service area of Excellus BCBS. Individuals who do business with us and provided us with their financial account information or Social Security number are also affected.”
Excellus is the fourth major American health insurance company to announce a network breach since the start of 2015. In February, Anthem BlueCross BlueShield admitted that hackers had stolen up to 80 million medical records dating back to 2004.
In March, Premera Blue Cross admitted to a breach compromising 11 million medical and financial records dating back to 2002. CareFirst BlueCross/BlueShield admitted to a hacking in May; “only” 1.1 million records stolen that time.
The hackers behind those three health-insurance hackings are suspected to have support from the Chinese government. Whether the same holds true for the Excellus hacking has not yet been announced.
Excellus says that the company is “providing two years of free credit monitoring and identity theft protection services.” Though that latter label is a bit of a misnomer; “identity theft protection” services do not actually offer any protection from identity theft; what they do is notify you after your identity's been stolen, and help you clean up your credit report afterward. To truly protect yourself from identity theft after hackers steal your information, your only real option is to institute credit report freezes – which can get very expensive for you.
Unfortunately, hacked companies almost never offer to covers the costs of credit freezes for victims, choosing instead to offer credit monitoring for a year or two.
Ironically, earlier this month, the security auditing firm KPMG released a report showing that, of all major American healthcare or health insurance companies (“major” defined as “having annual revenues of $500 million or more), a whopping 81% of those companies had suffered a data breach in just the previous two years. That number might be a little higher, now that Excellus is included in it.
Excellus says it will mail letters to people impacted by the network breach. These will be physical letters, sent through the U.S. Mail, so if you get any emails about the hacking, claiming to be from Excellus, delete those messages at once – they're nothing more than scambait.
The company has also established a toll-free number for customers to call with questions about the incident: 1-877-589-3331.