Another Healthcare Insurer, Excellus BCBS, Hit With Mega-Breach

Excellus and parent company, Lifetime Healthcare Companies, latest victims of cyber-attack that may have impacted more than 10 million personal records.

Rutrell Yasin, Freelance Writer

September 10, 2015

3 Min Read
Dark Reading logo in a gray background | Dark Reading

Cyber attackers last month executed a sophisticated attack to gain unauthorized access to the IT systems of Excellus BlueCross BlueShield and its parent company, Lifetime Healthcare Companies, possibly gaining unauthorized access to more than 10 million personal records.

The Rochester, N.Y-based insurers learned Aug. 5 that cyber attackers had gained access to IT systems hosting individuals’ personal information, company officials reported Wednesday. Further investigations revealed that the initial attack occurred on Dec. 23, 2013, they said.

Company officials notified the FBI and are coordinating with the Bureau’s investigation into this attack. Excellus also hired Mandiant to conduct the investigation and help remediate the issues created by the attack on its IT systems; Mandiant has also conducted investigations at several of the other healthcare companies that were breached recently. 

So far in 2015, cyber attackers have targeted Anthem, Premera Blue Cross, LifeWise, UCLA Health System, CareFirst BCBS, and now Excellus. Security researchers have linked some of these attacks to groups in China, which would suggest the attackers are not out for financial gain but instead the collection of personal information on prominent Americans.    

[Why so many attacks on healthcare companies, starting with the Community Health Systems breach in 2014? Read "Healthcare Breaches Like Premera First Stage Of Bigger Attacks?" on Dark Reading.]

Attackers increasingly are targeting “medical databases and protected healthcare information because they contain a treasure trove of personal identifiable information that they can use or sell on the black market to feed identity theft schemes,” said Adam Levin, founder and chairman of identity theft protection firm IDT911, and former director of the New Jersey Division of Consumer Affairs.

According to the Identity Theft Resource Center (via data security provider Netsurion), medical/healthcare is the second largest sector affected by breaches in 2015, with approximately 109.6 million records compromised.

The Excellus attackers may have gained access to personal information, including names, dates of birth, Social Security numbers, mailing addresses, telephone numbers, member identification numbers, financial account information, and claims data.

However, the investigation has not determined that any such data was removed from Excellus’ systems. “We also have no evidence to date that such data has been used inappropriately,” company officials say.

“As breaches have become the third certainty in life, data must be encrypted and there needs to be multiple layers of security, like two-way authentication,” Levin says. The initial intrusion took place more than a year ago, which begs the question, ‘who was minding the store?’”

“While it’s mentioned that there’s no evidence of files being stolen, [reports] also mentioned that the files were encrypted and that attackers had gained administrative access to the files, being able to presumably view them in an unencrypted form,” says Adam Kujawa, head of malware intelligence at Malwarebytes Labs, research arm of the anti-malware company.

“It then follows that with an attack of this magnitude, being done over the course of more than a year, cybercriminals probably stole information by simply copying and pasting it from its unencrypted form on the secure network to their own systems or utilizing built-in tools to parse the information for the most valuable data,” Kujawa says.

Kujawa thinks this latest breach is just another example of the weak cyber security measures currently in place for sensitive information. “While many industries, such as banking, are stepping up to the plate, there’s still a slow adoption or even failure from industries such as healthcare,” he says.

Companies need to invest in employee training on proper security and privacy protocols, because a company is only as good as its weakest link, notes Levin. Affected members should immediately change usernames and passwords and use diverse, long, and strong passwords for their personal and financial accounts, he advises. 

“They should also check their accounts for any suspicious activity and sign up for transactional alerts from their bank.”

Excellus is providing two years of free identity theft protection services through Kroll, a global leader in risk mitigation and response solutions, including credit monitoring by TransUnion, to affected individuals, the company says.

About the Author

Rutrell Yasin

Freelance Writer

Rutrell Yasin has more than 30 years of experience writing about the application of information technology in business and government. He has witnessed all of the major transformations in computing over the last three decades, covering the rise, death, and resurrection of the mainframe; the growing popularity of midrange and Unix-based computers; the advent of the personal computer; client/server computing; the merger of network and systems management; and the growing importance of information security. His stories have appeared in leading trade publications, including MIS Week, The Report on IBM, CommunicationsWeek, InternetWeek, Federal Computer Week, and Government Computer News. His focus in recent years has been on documenting the rise and adoption of cloud computing and big-data analytics. He has a keen interest in writing stories that show how technology can help spur innovation, make city streets and buildings safer, or even save lives.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights