igor - Fotolia
US health insurer Excellus BlueCross BlueShield hit by data breach
Forensic investigation reveals a data breach at US health insurer Excellus BlueCross BlueShield exposing up to 11 million records 21 months after the first intrusion
Another US health insurer says it has been hit by a “sophisticated” cyber attack, with more than 10 million customer accounts exposed at Excellus BlueCross BlueShield.
The breach comes six months after a breach at Premera Blue Cross exposed the records of 11 million customers; and seven months after a breach at Anthem exposed up to 80 million records.
In August 2014, US hospital group Community Health Systems revealed that hackers had gained access to 4.5 million patient records in a cyber attack from April to June 2014.
Security experts predict cyber attacks on health care organisations will continue because of the rich sets of personal data they hold.
In May 2015, a Ponemon Institute report revealed that criminal cyber attacks on the US health sector had increased 125% in past five years.
According to the Ponemon report, healthcare organisations typically do not have the resources, process and technologies to prevent and detect attacks or protect healthcare data, despite managing a treasure trove of personal information.
John Gunn, vice-president of communications at Vasco Data Security International, said hackers are attacking targets with the highest value assets.
“Retailers for payment cards, banks for funds, and healthcare organisations for social security numbers, but healthcare organisations are lagging behind. Unless they greatly increase their investment in the people and security solutions necessary to protect their assets, they will remain the target of choice for criminals,” Gunn said.
The latest breach was revealed by an external forensic assessment commissioned by Excellus in the light of the attacks on Premera and Anthem, according to Reuters.
Investigations so far have revealed that the initial breach took place in December 2013, targeting Excellus and its affiliates.
Legacy security
Franklyn Jones, chief marketing officer at Spikes Security said the fact that the breach went undetected for two years shows that advanced targeted attacks are simply undetectable, despite the significant investments Excellus no doubt made in building a strong security architecture.
“The root cause of the Excellus breach can likely be traced to the failure of legacy security technologies, which all rely on some form of detection technology to try to identify and block these attacks. It’s painfully obvious that these products simply don’t work,” he said.
The insurer said it had notified the FBI and was co-ordinating with the Bureau’s investigation into the attack. It is also notifying affected customers by letter and had set up callcentre for queries.
"The FBI is investigating a cyber intrusion involving Lifetime Healthcare Companies – which include Excellus BlueCross BlueShield – and will work with the firms to determine the nature and scope of the matter," the FBI said in a statement.
The Rochester-based insurer said it was taking steps to address the situation and offering free identity theft protection services to those affected.
Identify theft and fraud are the biggest risk because health insurance records typically include key pieces of data – such as date of birth, social security number, address and financial account details.
"We are taking additional actions to strengthen and enhance the security of our IT systems moving forward," the company said in statement.
Excellus said that, while attackers may have gained unauthorised access to customers’ personal data, the investigation had not determined that any such data was removed from its systems and there was no evidence to date that any data has been used inappropriately.
Read more about data breaches
- The NHS Dumfries and Galloway health board has adopted a proactive way to protect patient data through continual vulnerability assessment.
- HIV clinic data breach shows lessons not learned.
- More than 70% of executives say their organisations do not understand fully the risks associated with data breaches.
- Most large enterprises already know much of what they need to put in place to protect themselves against data breaches – they just have not done it all.
