Dive Brief:
- Excellus Blue Cross and Blue Shield of New York, along with its affiliates, announced it was the victim of a hack that initially took place on Dec. 23, 2013, but was discovered Aug. 5.
- The cyberattack accessed private information for more than 10 million personal records.
- Although nothing indicates any data has been used or removed, the information that may have been taken included names, birthdays, Social Security numbers, addresses, financial and claims information, etc.
Dive Insight:
The cyberattack was the third-largest HIPAA breach ever reported, following this year's historic Anthem and Premera cyberattacks, reports Healthcare IT News.
It impacted about 7 million Excellus customers and 3.5 million customers of Lifetime Healthcare Cos., a non-Blues subsidiary.
The companies began mailing notifications to impacted customers lask week and are offering two years of free identity theft protection.
Following the string of hacks unveiled this year, nearly 143.8 million people have had their protected health information compromised in a HIPAA privacy or security breach, according to HHS.
Although Blues plans have been among the high profile hacks multiple times, that doesn't necessarily mean they have more vulnerabilities, Mac McMillan of CynergisTek told Modern Healthcare. He suggests Blues affiliates have been proactively rooting out evidence of breaches ever since their Anthem attack.
"Every insurer should be looking and I’m willing to bet there’s a lot more we don’t know about,” McMillan says.