Cyberattack may have impacted information of about 10 million Excellus, Lifetime Healthcare customers

ROCHESTER, N.Y. — The FBI is investigating a “sophisticated” cyberattack against Excellus BlueCross BlueShield (BCBS), which may have affected the personalinformation of about 7 million people.

 

The same attack may have impacted an additional 3.5 million customers of additional affiliates of the Lifetime Healthcare Companies, Excellus’ parent company.

 

The company issued separate news releases on the attack on Wednesday afternoon.

 

The cyberattack hit Excellus’ information-technology (IT) systems, the health insurer said in its news release.

 

The personal information could include an individual’s name, date of birth; Social Security number; mailing address; telephone number; member-identification number; financial-account information; and claims information, Excellus said.

 

The investigation has not determined that personal information on the company’s IT systems “was removed or used inappropriately,” according to Excellus.

 

Rochester–based Excellus is Central New York’s largest health insurer.

 

Excellus BCBS says it is cooperating with the FBI’s investigation.

 

As a result of cyberattacks on other insurance companies, Excellus BCBS started working with the Mandiant incident-response division of a company called FireEye to conduct a forensic assessment of its IT systems, Excellus said.

 

FireEye Inc. (NASDAQ: FEYE) is a Milpitas, California–based cybersecurity firm.

 

On August 5, Excellus BCBS learned that cyber attackers gained unauthorized access to its IT systems.

 

However, the company’s investigation revealed that the initial attack occurred on Dec. 23, 2013, Elizabeth Martin, vice president of communications at Excellus, said in response to a BJNN inquiry.

 

Protecting subscribers

The nonprofit health insurer contends it is taking steps for the “protection” of its members and individuals who do business with the health plan.

 

“Protecting personal information is one of our top priorities and we take this issue very seriously,” said Christopher Booth, the corporation’s chief executive officer. “We’re making a broad range of services available today for our members, our employees and other impacted individuals to help protect their information.”

 

Excellus BCBS will mail letters to affected individuals and is providing two years of free identity-theft protection services through Kroll.

 

Kroll is a New York City–based firm that specializes in risk mitigation and response services, including credit monitoring through TransUnion, according to Excellus.

 

The company’s focus areas include cyber security, investigations, and data-breach response, according to Kroll’s website.

 

Excellus has established a call center for members and other affected individuals.

 

It also launched a website (www.excellusfacts.com), where members and other affected individuals can view frequent questions and answers and sign up for the free credit-monitoring and identity-theft protection services.

 

Individuals who believe they are affected by this cyberattack, but who have not received a letter by Nov. 9, are encouraged to call the number listed at that website, Excellus said.

 

Contact Reinhardt at ereinhardt@cnybj.com