News Feature | September 28, 2015

Excellus Data Breach Undetected For Nearly Two Years

Christine Kern

By Christine Kern, contributing writer

SMB IT Data Security

Healthcare’s latest breach fortifies push for cybersecurity legislation.

The latest healthcare organization to be hit by a data breach, Excellus BlueCross BlueShield (BCBS), announced it discovered that sophisticated cybercriminals had access to its IT systems for more than 18 months, according to Security Week.

This new attack, and in particular the length of time it went undetected, has raised new calls for cybersecurity legislation to help safeguard protected health information. Excellus discovered its own breach as a result of internal investigations conducted in wake of other prominent data breaches, including those at Anthem and Premera.

In a statement, Excellus revealed on August 5, 2015 the company discovered “cyber attackers had executed a sophisticated attack to gain unauthorized access” to its IT systems and further investigation revealed that the initial attack occurred on December 23, 2013. Compromised data of as many as 10.5 million individuals may include names, birth dates, Social Security numbers, mailing addresses, telephone numbers, member identification numbers, financial account information, and claims information for members on Excellus or other BlueCross Blue Shield plans who sought treatment in the 31 county upstate New York service area of Excellus BCBS.

In what has become a familiar litany, Christopher Booth, the corporation’s CEO, said, “Protecting personal information is one of our top priorities, and we take this issue very seriously. We’re making a broad range of services available today for our members, our employees and other impacted individuals to help protect their information. We have already taken aggressive steps to remediate our IT system of issues raised by this cyberattack.”

But some are increasingly concerned about the growing number of healthcare breaches.  “The Excellus breach is just the latest example of how hackers are able to avoid detection and go unnoticed within a network for long periods of time. While the exact details of how the breach occurred have not yet been released, the responsibility still lies with the hacked organization to do a better job of quickly detecting and responding to these types of attacks,” Mike Hamilton, VP of product at Ziften, told Security Week in regard to the Excellus breach. “No attack should go undetected for extended lengths of time, in this case well over a year. Security teams need to shore up their existing security infrastructure with tools designed to provide the intelligence required to shut these hackers down and limit the damage.”

“Excellus BlueCross BlueShield now joins a long list of companies that have been the victim of a cyberattack, including Target, JP Morgan, SONY, and countless others. The fact that this data breach was not discovered for 19 months just goes to show how sophisticated online hackers are and how much work we have to do when it comes to protecting our personal information,” said U. S. Senator Charles E. Schumer.

“So I am urging my colleagues in Congress to strengthen consumer cyber protections and require companies to notify their customers if there has been a breach of their personal information in a timely matter so they can take action to ensure they are not the victim of identity theft. In addition, we need intelligence and law enforcement agencies to work together to share information of potential cyber threats to prevent another attack. When it comes to the personal information of New Yorkers — be it their Social Security number, their health records, or financial information — we can never be too safe.