Excellus BlueCross BlueShield is the latest to fall victim to a computer hack, announcing that the breach may have exposed data from over 10 million members.
According to the health insurer, it first learned of the cyberattack on Aug. 5, prompting an investigation that revealed that the initial attack had occurred almost two years ago on Dec. 13, 2013. As part of its investigation, Excellus notified the FBI about the incident, coordinating with the agency's own investigation.
To address issues resulting from the attack, the company is working closely with Mandiant, one of the leading cybersecurity firms in the world. Additional steps have also been taken as well to bolster the defenses of Excellus' IT systems moving forward.
Based on Excellus' investigation, it was determined that the hack may have provided unauthorized access to personal information like names, dates of birth, mailing addresses, telephone numbers, member identification numbers, Social Security numbers, and claims information. Those affected include 7 million Excellus members and another 3.5 million members under the affiliate Lifetime Healthcare Companies.
Additionally, the incident also affected those who hold other BlueCross Blue Shield plans who have received treatment in the 31 counties included in Excellus' service area in upstate New York. Those who have done business with the company and those who have provided their financial information are also affected.
However, there is no indication that actual information have been removed from Excellus' systems or that any of the affected data had been inappropriately used.
Excellus said it recognizes the frustration that the incident can bring and that steps are being taken to protect members. For starters, letters have been mailed to affected members beginning Sept. 9. All affected are also eligible to receive free identity theft protection services via Kroll, as well as credit monitoring services from TransUnion for two years.
Anyone with questions about anything involving the hack are also urged to get in touch with Excellus through a dedicated call center. Those who believe they may have been affected by the hack but don't receive their notification letters by Nov. 9 are advised to contact the company.
"We sincerely regret the frustration and concern this incident may cause. We want you to know that protecting your information is incredibly important to us," wrote Excellus.
Photo: Johan Vilrock | Flickr