Excellus BlueCross BlueShield Hit By Hackers
There's a major cyber attack being reported by the area's largest health insurance organization. Excellus BlueCross BlueShield says its Information Technology systems were the target of a sophisticated cyberattack. Including its affiliated companies, a total of more than 10-million customers may be affected.
As a result of cyberattacks on other insurance companies, Excellus BCBS hired a cybersecurity firm to conduct a forensic assessment of its IT systems. On August 5, Excellus BCBS learned that cyber attackers gained unauthorized access to its IT systems. According to a site set up by Excellus for its affected customers (www.excellusfacts.com), President and CEO Christopher Booth says the first attack occurred on December 23, 2013.
The investigation has not determined that personal information on the company’s IT systems was removed or used inappropriately. However, the investigation has determined that attackers may have gained unauthorized access to approximately 7 million Excellus customers' information, which could include name, date of birth, Social Security number, mailing address, telephone number, member identification number, financial account information and claims information.
ExcellusBCBS notified the FBI and is cooperating with the bureau’s investigation.
“Protecting personal information is one of our top priorities and we take this issue very seriously,” said Christopher Booth, the corporation’s chief executive officer. “We’re making a broad range of services available today for our members, our employees and other impacted individuals to help protect their information.”
Excellus is beginning to mail letters to affected individuals today and is providing two years of free identity theft protection services through Kroll, a company involved in risk mitigation.
A dedicated call center at 1-877-589-3331 has been set up for members and other affected individuals. The company has also established a dedicated website (www.excellusfacts.com), where members and other affected individuals can view frequent questions and answers and sign up for the free credit monitoring service and identity theft protection services.
Individuals who believe they are affected by this cyberattack but who have not received a letter by November 9, are encouraged to call the number listed at that website.
“We have already taken aggressive steps to remediate our IT system of issues raised by this cyberattack,” Booth said.
“We sincerely regret any concern this may cause,” said Booth. “We are providing free credit monitoring and identity theft protection to you for peace of mind. We also pledge to take additional steps to strengthen and enhance security to help avoid having something like this happen again."
Also affected are about 3.5 million people who do business with affiliated companies that are all under the "Lifetime Healthcare Companies" umbrella, the parent company of Excellus. That includes:
- Lifetime Benefit Solutions
- Lifetime Care
- Lifetime Health Medical Group
- The MedAmerica Companies
- Univera Healthcare
There is a dedicated website for individuals affected by these companies, www.lifethcfacts.com, and the same call center set up for Excellus BCBS (1-877-589-3331) will handle questions for affected Lifetime Healthcare Companies customers.
An FBI spokesperson released this statement to WXXI News:
“The FBI is investigating a cyber intrusion involving Lifetime Healthcare Companies, which include Excellus BlueCross BlueShield, and will work with the firms to determine the nature and scope of the matter. Individuals contacted by the companies should take steps to monitor and safeguard their personally identifiable information and report any suspected instances of identity theft to the FBI’s Internet Crime Complaint Center at www.ic3.gov.
The FBI works extensively with private industry to raise awareness of cyber threats and earlier this year briefed representatives of the health care industry, including LTHC/Excellus BCBS. Recently the companies quickly notified the FBI after observing suspicious network activity. Such action is essential as it allows cyber experts to preserve evidence and work with incident responders to help recover networks. Cyber intrusions are a significant threat and the FBI will continue to devote substantial resources and efforts to bring those responsible to justice.”