Excellus Blue Cross and Blue Shield Hacked

Excellus Blue Cross and Blue Shield Hacked

Another health care provider has been the subject of an attack. Excellus Blue Cross and Blue Shield (BCBS) was the target of what the Washington Times is describing as “a sophisticated cyber attack.” According to NBC News, the initial attacked occurred on December 23, 2013, but wasn’t discovered until August 5, 2015. Now Excellus BCBS is working with the FBI to help determine the scope of the breach.

Both PC World and Computer Weekly report that the hackers may have had access to customer records which include names, addresses, telephone numbers, dates of birth, Social Security numbers, member identification numbers, financial accounts and medical claims information. There isn’t sufficient information to connect between this attack with Anthem’s and the U.S. Office of Personnel Management (OPM) attack. Reports from Symantec attributed the Anthem and OPM breach to a cyber-espionage group of Chinese origin called Black Vine.
Modern Healthcare is reporting that hackers may have gained access to 10 million personal records. The attack affects 7 million Excellus members and 3.5 million of its non-Blues subsidiary, Lifetime Healthcare Cos.

Our Analysis

Until enough information is obtained about Excellus’ cyber-attack with the information detailed about Anthem and OPM, then we can’t assume the “Black Vine” is responsible. It is possible that this was an insider attack, but once again no evidence to back this theory up. So far the investigation has not determined any data was removed or used inappropriately. Two years almost passed before this attack was brought to light.

When Anthem and other organizations in the health care field announced they were hack, then this should have been a red flag for Excellus to have their security tested. Hopefully these mistakes will trigger other companies to ensure they are secure, especially with regards to protecting individual’s personal information. Excellus Facts is offering 2 years of free credit monitoring and identity theft protection services. This is a start in ensuring that potential individuals who may have been affected by the attack are protected.

The best thing for Excellus is to investigate their IT security and take the appropriate actions to strengthen the security of their IT Systems. I am sure they will have the help of plenty of HIPAA auditors in addition to other security professionals.

On September 9, 2015, the company began to send letters to the affected individuals. These individuals should take advantage of the free offerings by the company.


Excellus Facts
PC World
Computer Weekly
NBC News
Washington Times
Modern Healthcare

Our Blog About the OPM Data Breach

Enter your email address:

Delivered by FeedBurner

Contact Us

Subscribe to our mailing list

* indicates required

About Scott Entsminger

Scott Entsminger was born and raised in Virginia. He graduated from Radford University with a Bachelor’s of Science in Criminal Justice. Scott has worked for the Department of Defense since graduating college. He is an expert in Windows Administration; with specific experience in Group Policy and vulnerability remediation. He also has specific experience in Information Assurance (IA) and Cyber Security. Scott holds the CompTIA Security+ certification. He is always looking to diversify his skillset. Scott is an avid sports fan, particularly baseball. He also is an avid gamer and enjoys learning different skills involving his PC.