Skip to main content

Exellus BlueCross BlueShield – Latest Victim of a “Sophisticated” Health Plan Cyberattack

Exellus BlueCross BlueShield has announced that the personal information of at least 10 million members has been compromised in a “very sophisticated” cyberattack that occurred on December 23, 2013 and was discovered by the plan on August 5, 2015.  According to a notification posted on the company’s website, hackers may have accessed the name, date of birth, social security number, mailing address, telephone number, member identification number, financial account information and claims information of affected members.

Excellus is offering no specifics regarding the nature of the attack but states repeatedly, throughout its website notification and related FAQs, that it has found no evidence of sensitive information being removed from its systems or misused.  Excellus began the process of mailing notices to affected individuals on September 9, and is providing two years of credit monitoring.

The Excellus breach follows a string of significant health plan data breaches this year, including the Anthem breach affecting 80 million members, the Premara breach affecting 11 million members, and the comparatively small – although extremely significant CareFirst breach, affecting 1.1 million members.

Stay tuned for the inevitable class action lawsuit.  We will have more as this story develops.

Subscribe To Viewpoints

Author

Dianne J. Bourque advises health care clients on licensure, regulatory, contractual, risk management, and patient care matters for Mintz. Dianne counsels researchers and research sponsors on FDA and OHRP regulations. She also counsels clients on data privacy issues, including HIPAA standards.