On September 9, 2015, Excellus BlueCross and BlueShield announced that it was targeted in a cyberattack in which the personal information of more than 10 million people was exposed. According to Excellus, attackers could have accessed information including names, dates of birth, Social Security numbers, addresses, financial account information, and even medical claim information. According to an article by Wired, Excellus spokesperson Kevin Cane stated that the breached financial information also included credit card numbers.
According to the Rochester Democrat and Chronicle, the hackers gained root access, which would have given them full control over the system. They also had access to subscriber records going back to the 1980s, depending on the particular insurer.
Is your personal data at risk?
Our data breach lawyers are here to help. We understand the importance of confidentiality and protect our clients’ privacy. Call 800-254-9493 for a free attorney consultation.
Over 10 million customers’ data exposed by Excellus data breach
The Rochester Democrat and Chronicle reports that the BlueCross and BlueShield data breach has exposed the personal information of over 10 million people who are customers of Excellus, which is based in Rochester, New York. Other individuals who are customers of Excellus’s corporate parent, Lifetime Healthcare Companies are affected by the breach as well.
The following people may be affected by the breach:
- Individuals insured by Excellus BlueCross and BlueShield, including:
- Subscribers of BlueCross Blue Shield of Central New York at any point since 1983
- Subscribers of BlueCross and BlueShield of the Rochester Area at any point since 1995
- Subscribers of BlueCross BlueShield of Utica-Watertown at any point since 1980
- Subscribers of Excellus BlueCross BlueShield at any point since 2002
- Individuals insured through other Lifetime Health Companies affiliates, including:
- Subscribers of Lifetime Benefit Solutions at any point since 2005
- Subscribers of Lifetime Health Medical Group at any point since 1982
- Subscribers of MedAmerica Companies at any point since 1987
- Subscribers of Univera Healthcare at any point since 1995
- BlueCross and Blue Shield members who have received medical care billed through Excellus
The Democrat and Chronicle also reported that the data breach affects former subscribers going back to the 1980s, depending on which entity of the company served their needs.
Excellus did not discover the breach for over a year and a half
Excellus has stated that the initial breach occurred on December 23, 2013, but that it did not discover the breach until August 4, 2015. Excellus then announced the breach over a month after it discovered it, and over a year and a half after the breach began.
Excellus stated that it will begin to send out notification letters to affected individuals.
Hackers may have accessed decryption keys
Although Excellus appears to have encrypted the data, Wired reports that Excellus spokesperson Kevin Cane stated that the hackers would likely be able to circumvent this encryption. Because hackers had gained administrative access to the company’s network, they could likely access decryption keys available to Excellus administrators. According to Cane, “[t]he encryption is not even an issue at that point.”
The FBI stated that it was investigating the data breach, and Excellus reports that it is fully cooperating with this investigation.The FBI also stated that it had briefed Excellus and other health-care insurers earlier this year about the threat of cyberattacks.
Girard Gibbs’ experience representing victims of data breaches
Our attorneys are working with Girard Gibbs LLP to litigate class action lawsuits concerning data breaches at Target, Home Depot, and Sony Pictures Entertainment. We are also litigating class action cases involving healthcare data breaches at Anthem and Premera. Additionally, Eric Gibbs was appointed lead counsel in the 2013 Adobe Systems data breach litigation.
In the past, Girard Gibbs has successfully settled cases involving cyber-attacks on HealthNet and Certegy.