Yet another US healthcare company has reported a major data breach – this time insurance firm Excellus said hackers have stolen the personal details of 10.5 million customers.
The breach affected around 7 million “members, patients or others who’ve done business” with BlueCross BlueShield, with the remainder Lifetime Health Care customers.
The plans affected are BlueCard Members; BlueCross BlueShield of Central New York; BlueCross and BlueShield of the Rochester area; BlueCross BlueShield of Utica-Watertown; and Excellus BlueCross BlueShield.
This incident also affected members of other plans who sought treatment in the firm’s 31-county upstate New York service area.
“Individuals who do business with us and provided us with their financial account information or Social Security number are also affected,” the firm’s president and CEO, Christopher Booth, said in a statement.
Booth revealed that his IT team first discovered the “sophisticated attack” on 5 August 2015, and has been working since with Mandiant and the FBI.
However, the attack actually began over a year and a half ago – on 23 December 2013 – he admitted.
What’s more, the information stolen is highly sensitive, as he explained:
“Our investigation determined that the attackers may have gained unauthorized access to individuals’ information, which could include name, date of birth, Social Security number, mailing address, telephone number, member identification number, financial account information and claims information.”
As is the norm on such occasions, Excellus is offering free identity theft protection services to affected customers for two years.
However, Booth claims there’s no evidence the data has been used “inappropriately” thus far.
Fortscale CEO Idan Tendler, a former cyber warfare commander of the Israeli Defense Forces, claimed the incident is a “textbook case study in how hackers are able to stay under-the-radar and go undetected for long periods of time.”
“The hackers’ ability to go unnoticed and gain unauthorized access to the company’s IT systems and the personal information of potentially thousands of people does not come as a surprise,” he added.
“We’ve seen this scenario play out in breach after breach, underscoring the need for organizations to constantly monitor their networks and be proactive in detecting and responding to suspicious user activity to prevent these types of breaches from occurring.”
Netsurion CEO, Kevin Watson, added that Excellus would likely suffer loss of customer trust and brand equity because of the breach.
“As cyber-criminals increasingly target personally identifiable information other than credit card or financial data, more and more businesses will need to be vigilant of their data security,” he argued.
“What many businesses fail to recognize are the myriad of points of entry and egress from a network, including every branch and remote office location.”
Excellus is the latest in a long line of US healthcare breaches – following most notably Anthem (78 million customers) and Premera (11 million).
It’s suspected that potentially state-sponsored Chinese hackers could be behind those attacks as they continue to build up a huge database containing the digital identities of US government employees.
Security experts have been warning for years that healthcare providers have under-invested in information security.
According to the Identity Theft Resource Center, healthcare providers accounted for more breaches (42.5%) than any other sector in 2014, continuing a three-year trend.