Excellus Blue Cross and Blue Shield, a USA-based insurer, disclosed on Wednesday afternoon that it was the victim of a sophisticated cyber attack by hackers who may have gained access to over 10 million personal records.
Christopher Booth, the insurer’s CEO, said in a message to customers that Excellus had discovered the attack on Aug. 5 and an investigation determined that it occurred on Dec. 23, 2013. The hackers are believed to have had access to customers’ names, dates of birth, Social Security numbers, mailing addresses, telephone numbers, member identification, financial account information and claims information, which would likely include medical data.
The attack affected about 7 million Excellus members and 3.5 million members of its non-Blues subsidiary, Lifetime Healthcare Cos. The company is notifying affected customers and offering identity theft protection through Kroll, a risk mitigation and response solution company, including credit monitoring through TransUnion.
The attack falls within the top 20 worst healthcare breaches ever reported by a healthcare organisation.
Commenting on this, David Gibson, VP of strategy and market development at Varonis said, “Excellus is currently saying there’s no evidence that the information was “removed.” Who are we kidding here? The hackers were just browsing around for kicks? The reality is that they probably have no idea what happened or what was stolen and never will. This would come as no surprise to anyone, and doesn’t sound much different than the major cyber attacks that we have more information on. In the case of the notorious Anthem data breach, thieves were outsiders who were able to stealthily get a hold of employee credentials to access files. And we’d be willing to bet that’s exactly what happened here.”
“The fact that the company only discovered the breach almost a year and a half after it took place is indicative of a naïve attitude toward security,” added Simon Crosby, CTO and co-founder at endpoint security firm, Bromium. “It is unforgivable that any organisation should be so lackadaisical in its handling of customer data at a time when it is entirely possible to prevent breaches from happening in the first place, or to detect anomalous behaviour in the network to indicate a breach in progress.” he said.
“The Excellus attack occurred back in December 2013 and went undetected until now. Unfortunately, Advanced Persistent Threats (APT) are capable of eluding single anti-malware defences and staying under the ‘malware radar’ by lying in wait before executing their payload or by utilising otherwise harmless files or processes. By implementing multiple layers of defence, and using a multi-scanning solution that combines different detection algorithms and heuristics of multiple anti-malware engines, as well as other preventive measures such as data sanitization, many more advanced threats can be detected and a company’s exposure greatly diminished.” concluded Mike Spykerman, VP at OPSWAT.
Excellus said it has notified the FBI and is cooperating with the bureau’s investigation.
