The New York State-based health insurer disclosed that it was breached as far back as 2013. Reports say millions of health records have been exposed.
Excellus BlueCross BlueShield is the latest health insurance provider to reveal that is has been breached. Excellus publicly disclosed the breach on Sept. 9, though it admits that the breach initially took place Dec. 23, 2013.
Although the breach occurred in 2013, Excellus just discovered the issue on Aug. 5. Since then, Excellus has engaged with the Federal Bureau of Investigation as well as FireEye's Mandiant incident response division.
"We worked closely with Mandiant, one of the world's leading cyber-security firms, to conduct our investigation and to remediate the issues created by the attack on our IT systems," Excellus President and CEO Christopher Booth, said in a statement. "We are taking additional actions to strengthen and enhance the security of our IT systems moving forward."
The Excellus attackers were able to get access to policy-holder information, including claims information. Excellus noted that it has no evidence that any policy holder information has been used inappropriately. The company is taking steps to protect its policy holders with the offer of free identify-theft protection services for the next two years.
Excellus has not publicly disclosed a precise number of policy holders that are at risk, though an Associated Press report estimates the figure to be approximately 10 million.
Excellus now joins Anthem, Premera and CareFirst on the list of health insurance companies that have publicly disclosed breaches in the last year. In the Anthem data breach, publicly disclosed
on Feb. 4, 80 million customer records were exposed to risk.
According to Excellus' own investigation, it is not clear if there is a connection with its breach and the attack on Anthem. A report
in July alleged that the same group of attackers was behind breaches against Anthem, United Airlines and the U.S Office of Personnel Management.
"Anthem, Premera and CareFirst are separate companies that are also independent licensees of the Blue Cross Blue Shield Association," Excellus stated in a fact sheet
on that attack. "Excellus BlueCross BlueShield is not involved in Anthem's, Premera's or CareFirst's investigations and does not have sufficient information to comment on what happened to them."
While Excellus is providing information about the data breach online, it is not emailing affected policy holders and is warning against potential email scams related to the breach.
"We will not email anyone regarding this attack," Excellus stated. "You should be aware that you may receive scam and phishing emails claiming to be from our company."
Bobby Kuzma, systems engineer at Core Security, said that given that it took well over a year from the initial breach to detection, he doesn't think that protecting personal information is one of Excellus' top priorities. "I'm not surprised by this breach," he told eWEEK
. "We're well past the point where organizations should have effective defenses and, more importantly, detective controls to catch intrusions before they become breaches."
Organizations are still falling to the same preventable attacks time after time, and this isn't a problem that is exclusive to Blue Cross affiliates, Kuzma said. "It would not surprise me if we see in the next few years that almost every major insurance company has been breached in some form or fashion," he said.
Sean Michael Kerner is a senior editor at
InternetNews.com. Follow him on Twitter @TechJournalist