Data Breach Exposes Sensitive Client Information at Excellus BlueCross BlueShield
In a significant data breach, Excellus BlueCross BlueShield (BCBS) has disclosed that approximately 10.5 million records belonging to its clients were compromised by cybercriminals. This revelation, which came to light years after the initial intrusion, reflects a critical lapse in cybersecurity measures that affects both individual members and related healthcare service users in upstate New York.
The Rochester, New York-based company, a prominent provider of healthcare and financial services, sustained the breach after hackers infiltrated its IT systems as far back as December 2013. It was only on August 5, 2015, that the breach was uncovered, raising questions about the effectiveness of Excellus’s security protocols over the two-year window during which their systems remained vulnerable.
The compromised data includes highly sensitive information such as Social Security numbers, dates of birth, mailing addresses, telephone numbers, member identification numbers, financial account details, and claims information. Such a wide array of exposed personal data not only poses immediate risks to affected individuals but also raises broader concerns about the implications for identity theft on a massive scale.
In responding to this incident, Excellus highlighted that the breach also impacted members of other Blue Cross Blue Shield plans who sought treatment within the company’s service area. Recognizing the severity of the situation, Excellus has enlisted the expertise of Mandiant Incident Response Team from FireEye Inc. to conduct a thorough investigation and develop remedial strategies.
Despite these efforts, initial findings have indicated no evidence of data removal or misuse. Nevertheless, the company has committed to proactive measures aimed at mitigating the fallout. These include notifying affected customers about the breach and providing them with two years of complimentary identity theft protection and credit monitoring services. Customers concerned to learn more about the security incident have been encouraged to reach out to Excellus directly.
Throughout the early months of 2015, Excellus was not alone in facing cyber threats, as numerous healthcare entities reported similar breaches. High-profile cases included Anthem Healthcare, which experienced a breach affecting 80 million records, Premera with 11 million affected, and the UCLA Health System followed closely by CareFirst. Notably, the majority of these organizations utilized BlueCross BlueShield insurance products, which raises pertinent questions about the potential targeting of the entire BCBS network by malicious actors.
The tactics employed in this breach may align with several MITRE ATT&CK framework techniques, particularly initial access, where adversaries exploit security vulnerabilities to gain entry into systems, and persistence, ensuring continued access to compromised environments without detection. Given the extensive timeline between the initial breach and its discovery, concerns about privilege escalation and lateral movement within the network complicate the narrative surrounding Excellus’s cybersecurity posture.
In conclusion, this data breach underscores the urgent need for organizations in the healthcare sector to re-evaluate their cybersecurity strategies and mitigate risks posed by continuing cyber threats. The incident not only jeopardizes the safety of sensitive client information but also highlights vulnerabilities within critical infrastructure that demands immediate and ongoing attention from business owners across the industry.
