10M customers exposed in Blue Cross hack

10M customers exposed in Blue Cross hack
© Getty Images

A New York Blue Cross Blue Shield plan revealed late Wednesday that it has been the victim of a massive cyberattack, exposing the data of more than 10 million people. 

The hack falls within the top 20 worst healthcare breaches ever reported, according to the Department of Health and Human Services’ list of breaches, known in the industry as the agency’s “wall of shame.” 

Excellus BlueCross BlueShield discovered the attack in August, but the initial intrusion took place in December of 2013. So far, it doesn’t appear that the hackers stole or used any information, but they did gain access to customers’ names, birth dates, Social Security numbers, mailing addresses, financial information and claims information. 

The insurer is working with well-known cybersecurity firm Mandiant and is offering customers two years of free identity-theft protection. 

Blues-affiliated plans across the country have faced a series of high-profile hacks this year, most notably the Anthem hack that exposed as many as 80 million members.  

Experts suggest that foreign intelligence agencies may be trying to triangulate information about federal workers, who make up a large proportion of Blues plan members. 

Others say the Blues aren’t necessarily being targeted over other insurers, but that it’s a case of “seek and ye shall find.” 

“I don’t think this is an anomaly or this should be a surprise to anybody,” health IT security expert Mac McMillan told Modern Healthcare. “I think the Blues are finding it because the Blues have gotten their nose bloodied and they’re looking to address it and finding it now. I’m willing to bet there’s a lot more we don’t know about.”

A recent KPMG survey found that 81 percent of healthcare organizations have had their networks compromised by a cyberattack. Report authors said that many are not even aware they had been hacked.

Excellus continues to work with the FBI to investigate the attack. It has declined to say whether it has identified the hackers.