On September 9, 2015, Excellus BlueCross and BlueShield announced that it was targeted in a cyberattack in which the personal information of more than 10 million people was exposed. According to Excellus, attackers could have accessed information including names, dates of birth, Social Security numbers, addresses, financial account information, and even medical claim information. According to an article by Wired, Excellus spokesperson Kevin Cane stated that the breached financial information also included credit card numbers.
According to the Rochester Democrat and Chronicle, the hackers gained root access, which would have given them full control over the system. They also had access to subscriber records going back to the 1980s, depending on the particular insurer.
Is your personal data at risk?
Gibbs Law Group’ data breach lawyers are here to help. We understand the importance of confidentiality and protect our clients’ privacy. Call 800-254-9493 for a free attorney consultation.
Over 10 million customers’ data exposed by Excellus data breach
The Rochester Democrat and Chronicle reports that the BlueCross and BlueShield data breach has exposed the personal information of over 10 million people who are customers of Excellus, which is based in Rochester, New York. Other individuals who are customers of Excellus’s corporate parent, Lifetime Healthcare Companies are affected by the breach as well.
The following people may be affected by the breach:
- Individuals insured by Excellus BlueCross and BlueShield, including:
- Subscribers of BlueCross Blue Shield of Central New York at any point since 1983
- Subscribers of BlueCross and BlueShield of the Rochester Area at any point since 1995
- Subscribers of BlueCross BlueShield of Utica-Watertown at any point since 1980
- Subscribers of Excellus BlueCross BlueShield at any point since 2002
- Individuals insured through other Lifetime Health Companies affiliates, including:
- Subscribers of Lifetime Benefit Solutions at any point since 2005
- Subscribers of Lifetime Health Medical Group at any point since 1982
- Subscribers of MedAmerica Companies at any point since 1987
- Subscribers of Univera Healthcare at any point since 1995
- BlueCross and Blue Shield members who have received medical care billed through Excellus
The Democrat and Chronicle also reported that the data breach affects former subscribers going back to the 1980s, depending on which entity of the company served their needs.
Excellus did not discover the breach for over a year and a half
Excellus has stated that the initial breach occurred on December 23, 2013, but that it did not discover the breach until August 4, 2015. Excellus then announced the breach over a month after it discovered it, and over a year and a half after the breach began.
Excellus stated that it will begin to send out notification letters to affected individuals.
Hackers may have accessed decryption keys
Although Excellus appears to have encrypted the data, Wired reports that Excellus spokesperson Kevin Cane stated that the hackers would likely be able to circumvent this encryption. Because hackers had gained administrative access to the company’s network, they could likely access decryption keys available to Excellus administrators. According to Cane, “[t]he encryption is not even an issue at that point.”
The FBI stated that it was investigating the data breach, and Excellus reports that it is fully cooperating with this investigation.The FBI also stated that it had briefed Excellus and other health-care insurers earlier this year about the threat of cyberattacks.
Gibbs Law Group’ experience representing victims of data breaches
As recent cyberattacks have compromised the security of consumers’ personal information at healthcare companies, Gibbs Law Group has taken a leading role in representing victims of these data breaches. The firm has also represented victims of data breaches at large retailers and at software and entertainment companies.
Our attorneys are currently involved in leadership positions in the Target and Home Depot cases, and have been appointed lead counsel in the 2013 Adobe Systems data breach. We are also co-lead counsel in a case against Sony Pictures where we represent employees whose personal information was compromised as a result of a data breach. We are also litigating class action cases involving healthcare data breaches at Anthem and Premera.
In the past, Gibbs Law Group has successfully settled cases involving cyber-attacks on HealthNet and Certegy.
Are you an Excellus member whose information may have been exposed in the data breach?
If you believe that your personal or medical information may have been exposed in the Excellus data breach, please speak to a Gibbs Law Group data breach lawyer for a free, confidential consultation by calling (800) 254-9493 or by filling out the form.