HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

10M-Record Cyberattack Reported by NY Health Insurer

Another massive health insurer data breach has been discovered; one which has potentially affected up to ten million health plan members.

Excellus BlueCross BlueShield, a health insurer based in Western New York, along with its affiliates – Lifetime Healthcare Companies, Lifetime Benefit Solutions, Lifetime Health Medical Group, Lifetime Care, Univera Healthcare, and the MedAmerica Companies – have all reportedly been affected.

Data Access was First Gained in 2013


The data breach was discovered on August 5, 2015. An investigation was immediately launched, which revealed that as many as ten million individuals had been affected, with the hackers having first gained access to the data more than 18 months ago.

Access to the confidential data of plan members is believed to have been first gained on December 23, 2013, giving the perpetrators plenty of time to use the data. However, even though the data was potentially stolen such a long time ago, according to the insurer, no evidence of inappropriate use has so far been discovered.

Please see the HIPAA Journal Privacy Policy

High Risk of Identity Theft and Insurance Fraud


Even though no evidence has been uncovered to suggest that the data has been used inappropriately, there is a high risk of plan members suffering identity fraud and insurance fraud.

The information potentially obtained by the hackers includes highly sensitive information such as plan member names, addresses, dates of birth, telephone numbers, health plan ID numbers, financial account information, details of claims made, and Social Security numbers. Because of the high risk of fraud, the insurer and its affiliates will be taking steps to mitigate risk and damage.

According to a statement released by Excellus Chief Executive, Christopher Booth, “We are providing free credit monitoring and identity theft protection to you for peace of mind. We also pledge to take additional steps to strengthen and enhance security to help avoid having something like this happen again.” He also said, “Protecting personal information is one of our top priorities and we take this issue seriously.”

The incident has been reported to law enforcement, and the FBI is currently investigating the extent and scope of the attack. At this stage no information has been released relating to the source of the attack.

Plan members should receive a breach notification letter in the next few days if they have been affected. The insurer started sending the letters to all 10 million yesterday.

Data Breach Highlights the Importance of Conducting Regular Internal Security Audits


This year has already seen two massive cyberattacks discovered. Anthem Inc., uncovered a data breach in February that affected 78.8 million plan members, while 11 million records were exposed in a cyberattack at Premera BlueCross. Both incidents were discovered following an internal security audit, which revealed that hackers had first gained access to Protected Health Information many months previously.

Hackers are targeting healthcare providers and insurers as they hold vast quantities of valuable data. There are a number of ways that hackers can bypass even robust security defenses, with employees usually the weakest link in the security chain. If hackers can fool healthcare employees into revealing their login details, security codes, or just visiting a malware infected website or opening an infected email attachment, hackers can gain access to the network.

As all three of these major cyberattacks have shown, hackers can break through security defenses without detection, giving them days, weeks, or months to find and use patient and plan member data.

Due to the high risk of attack, HIPAA-covered entities must conduct regular malware scans and run internal audits to identify inappropriate access to data. It may not be possible to prevent hackers from gaining access to PHI, even if robust multi-layered security defenses are put in place, but it is possible to limit the damage caused by those attacks.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.