Data Breach at Excellus BlueCross BlueShield Reported: 10 Million Records Exposed

The PHI and PII of approximately 10 million individuals has been exposed in a data breach at Excellus BlueCross BlueShield in Western New York.

During the 19 months that hackers had access to Excellus systems between December 2013 and August 2015, the Protected Health Information (PHI) and Personally Identifiable Information (PII) of approximately 10 million individuals has been exposed. Since highly sensitive data has been compromised, victims of the breach have been exposed to a high risk of fraud and identity theft.

The data potentially accessed by the hackers include Social Security numbers, health plan ID numbers, financial information, claim information, and a wide range of PII, including plan member names, dates of birth, addresses, and phone numbers.

The data breach at Excellus BlueCross BlueShield was investigated immediately upon discovery, although that investigation did not uncover any evidence to suggest data have been used to commit fraud or identity theft.

Oftentimes, it takes some time before identity theft and fraud is actually uncovered, and data thieves may not necessarily use stolen data immediately. The cyberattack may not necessarily have been conducted with identity theft in mind. The motives of the perpetrators may take some time to be determined.

Credit Monitoring and Identity Theft Protection Services Offered to Excellus BCBS Data Breach Victims

Since there is a high risk of data being used to defraud victims, Excellus BCBS will be providing breach victims with a range of services to help mitigate risk. Excellus Chief Executive, Christopher Booth, issued a statement in which he explained:

“Protecting personal information is one of our top priorities and we take this issue seriously.” He confirmed that the victims of the data breach at Excellus BlueCross BlueShield will be protected, saying “We are providing free credit monitoring and identity theft protection to you for peace of mind. We also pledge to take additional steps to strengthen and enhance security to help avoid having something like this happen again.”

The investigation into the cyberattack took some time to conduct due to the extent of the data breach at Excellus BlueCross BlueShield. Victims had to be identified, and the extent of exposed data determined. A forensic analysis was conducted in this regard.

That investigation revealed that it was not only Excellus BCBS members that had been affected. Many of its affiliates also had member data exposed. Lifetime Healthcare Companies, Lifetime Benefit Solutions, Lifetime Health Medical Group, Lifetime Care, Univera Healthcare, and the MedAmerica Companies have also been affected by the cyberattack.

Breach notification letters are now being sent to all affected individuals to notify them of the exposure of their data, and information will be provided on how credit monitoring and identity theft protection services can be accessed.

What is not clear at this stage is how the cyberattack was discovered, and why it took such a long time. Earlier this year, a mammoth data breach was discovered by Anthem Inc., which similarly took a considerable amount of time to identify. The Premera Blue Cross hacking incident, discovered just a few days after the Anthem breach was announced, also took a long time to discover.

Health insurers, healthcare providers and other covered entities should take note of the data breach at Excellus BlueCross BlueShield, Anthem and Premera Blue Cross. Hackers may already have infiltrated computer networks, servers and desktops; and, unless a full security audit is conducted on all systems frequently, successful hacks are unlikely to be discovered until many months after access has been gained. Fast detection of hacks is essential if data exfiltration is to be prevented.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of