- Excellus Blue Cross Blue Shield (Excellus BCBS) announced that it had been the victim of a cyber attack, and approximately 7 million individuals potentially had their information exposed. The Excellus BCBS data breach was discovered by the healthcare company on August 5, 2015, according to an Excellus BCBS statement, and was a “sophisticated cyber attack.”
Potentially exposed information includes individuals’ names, dates of birth, Social Security numbers, mailing addresses, telephone numbers, member identification numbers, financial account information and claims information.
Further investigation revealed that the initial attack took place on December 23, 2013, according to an Excellus website dedicated to information on the attack. Cyberattackers gained unauthorized access to Excellus Information Technology (IT) systems, the company explained. Excellus BCBS added that it has also notified the Federal Bureau of Investigations (FBI) and is cooperating with its investigation.
Data was not removed from the Excellus BCBS systems, the company stated, and there is no reason to believe that the information has been used inappropriately.
“This incident also affected members of other Blue Cross Blue Shield plans who sought treatment in the 31 county upstate New York service area of Excellus BCBS,” Excellus BCBS explained. “Individuals who do business with us and provided us with their financial account information or Social Security number are also affected.”
Data breach notification letters began to be sent out to affected individuals on September 9, Excellus BCBS said, and the healthcare organization will also offer two years of free identity theft protection services.
“Protecting personal information is one of our top priorities and we take this issue very seriously,” Excellus BCBS CEO Christopher Booth said in a statement. “We’re making a broad range of services available today for our members, our employees and other impacted individuals to help protect their information.”
If individuals believe that they were affected and have not received a notification letter by November 9, they are encouraged to reach out, Excellus BCBS explained.
“We sincerely regret the frustration and concern this incident may cause,” Excellus BCBS said on its website. “We want you to know that protecting your information is incredibly important to us, as is helping you through this situation with the information and support you need.”
Editor’s note: We will update this story as more information becomes available.