Cost of the Excellus BlueCross BlueShield Data Breach Reaches $17.3M

The cost of the Excellus BlueCross BlueShield data breach has reached $17.3 million, according to its latest financial filings.

The Rochester-based health insurer suffered the third largest healthcare data breach of last year; more than twice the size of the largest reported healthcare data before the Anthem cyberattack was discovered. More than 10 million plan member and vendor records were exposed in the cyberattack discovered on September 9, 2015.

The bulk of the initial cost has gone on providing all affected members with credit monitoring and protection services. That cost the insurer $13.5 million in the final quarter of 2015. All affected individuals were offered two years of complimentary credit monitoring and identity theft protection services following the exposure of their PHI.

The data breach exposed highly sensitive data including Social Security numbers, medical data, and financial information. It has now been over 5 months since the discovery of the cyberattack, although Excellus has yet to uncover any evidence to suggest that the hackers responsible for the attack have used plan member data, in fact, Excellus has failed to uncover any evidence to suggest that data were actually exfiltrated by the hackers. That said, any hacker capable of infiltrating the company’s systems and masking the attack for 20 months could have also masked any data theft.

The financial report indicates that a data breach insurance policy has covered $9.1 million of the expenses so far incurred, with Excellus forced to pay the other $8.2 million. However, the costs continue to be incurred and the final cost of the Excellus BlueCross BlueShield data breach is unlikely to be known for many months, if not years.

The Office for Civil Rights will have launched an investigation into the data breach and could well fine Excellus for any HIPAA-violations discovered, and state attorneys general may decide to take action and fine the health insurer for the exposure of plan-member data.

Then there are the class-action lawsuits filed by victims of the breach. To date more than 12 lawsuits have been filed by plan members who had their PHI exposed as a result of the cyberattack.

Plan members unhappy with the exposure of their PHI could well change insurer as a result of the cyberattack, although the extent to which this has happened is unlikely to be discovered for many months. Excellus has reported a loss of approximately 100,000 members in the past year, although this has been attributed to the pulling of Medicaid-related products rather than the cyberattack.

Excellus has not released details of its expected costs in 2016, although the $17.3 million total is likely to rise considerably. In May 2015, the Ponemon Institute calculated the average cost of a healthcare data breach to be $363 per record. If those figures hold true, the cost of the Excellus BlueCross BlueShield data breach could be as high as 3.6 billion.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.