Excellus BlueCross BlueShield announces breach, 10.5M records at risk

The initial attack occurred in late December 2013, and altogether more than 10 million individuals are affected.
The initial attack occurred in late December 2013, and altogether more than 10 million individuals are affected.

Rochester, NY-based Excellus Bluecross BlueShield (BCBS) and affiliate Lifetime Healthcare Companies (LTHC) have been breached.

The health insurance organizations learned in early August that unauthorized access was gained to IT systems in late 2013, and personal information on about 10.5 million individuals may have been compromised.

An investigation conducted along with Mandiant revealed that names, dates of birth, Social Security numbers, mailing addresses, telephone numbers, member identification numbers, financial account information and claims information, and in some cases clinical information could have been affected.

“The investigation has not determined that any such data was removed from our systems,” Excellus CEO Christopher Booth, wrote in a notification posted to the company's website. “We also have no evidence to date that such data has been used inappropriately.”

The incident affects about seven million members, patients and other individuals who have done business with a variety of Excellus BCBS plans. It also affects about 3.5 million members, patients and others who participate with Lifetime Benefit Solutions, Lifetime Care, Lifetime Health Medical Group, The MedAmerica Companies, and Univera.

Notification pages set up for each affected entity include additional details. All impacted individuals are being notified and offered two free years of identity theft protection and credit monitoring services.  

“We have moved quickly to close the vulnerability, remediate our IT systems and to strengthen and enhance the security of our IT systems moving forward,” an FAQ posted to the Excellus BCBS website said, going on to add, “Our data was encrypted, but the attackers gained unauthorized administrative access to our systems, therefore allowing them to potentially access personal information.”

The investigation revealed that the initial attack occurred on Dec. 23, 2013. The FBI has been notified and is conducting an investigation.

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS