Excellus Blue Cross and Blue Shield Hacked
Another health care provider has been the subject of an attack. Excellus Blue Cross and Blue Shield (BCBS) was the target of what the Washington Times is describing as “a sophisticated cyber attack.” According to NBC News, the initial attacked occurred on December 23, 2013, but wasn’t discovered until August 5, 2015. Now Excellus BCBS is working with the FBI to help determine the scope of the breach.
Both PC World and Computer Weekly report that the hackers may have had access to customer records which include names, addresses, telephone numbers, dates of birth, Social Security numbers, member identification numbers, financial accounts and medical claims information. There isn’t sufficient information to connect between this attack with Anthem’s and the U.S. Office of Personnel Management (OPM) attack. Reports from Symantec attributed the Anthem and OPM breach to a cyber-espionage group of Chinese origin called Black Vine.
Modern Healthcare is reporting that hackers may have gained access to 10 million personal records. The attack affects 7 million Excellus members and 3.5 million of its non-Blues subsidiary, Lifetime Healthcare Cos.
Until enough information is obtained about Excellus’ cyber-attack with the information detailed about Anthem and OPM, then we can’t assume the “Black Vine” is responsible. It is possible that this was an insider attack, but once again no evidence to back this theory up. So far the investigation has not determined any data was removed or used inappropriately. Two years almost passed before this attack was brought to light.
When Anthem and other organizations in the health care field announced they were hack, then this should have been a red flag for Excellus to have their security tested. Hopefully these mistakes will trigger other companies to ensure they are secure, especially with regards to protecting individual’s personal information. Excellus Facts is offering 2 years of free credit monitoring and identity theft protection services. This is a start in ensuring that potential individuals who may have been affected by the attack are protected.
The best thing for Excellus is to investigate their IT security and take the appropriate actions to strengthen the security of their IT Systems. I am sure they will have the help of plenty of HIPAA auditors in addition to other security professionals.
On September 9, 2015, the company began to send letters to the affected individuals. These individuals should take advantage of the free offerings by the company.