The potential loss of data — which includes names, addresses, telephone numbers, Social Security numbers, financial account information and in some cases sensitive medical information — appears to constitute the biggest known computer hack in local history. It is one of a series of major digital intrusions into Blue Cross affiliates and other health insurers nationwide over the last two years, at least some of which have been tentatively linked to shadowy groups in China.
Excellus and its corporate parent, Lifetime Healthcare, announced Wednesday afternoon that they had learned of the covert intrusion into their computer systems on Aug. 5 — though experts have since learned the cyberattack dates back more than 19 months.
The companies immediately notified the FBI and took steps to close the vulnerability that allowed hackers access to their systems.
It is not known whether the hackers stole personal information, Excellus spokesman Jim Redmond said, though the companies are offering two years’ free credit monitoring to affected parties as a precaution against reuse of stolen personal data for identify-theft purposes. There is no indication yet that any personal information has been misused by outside parties, he said.
Excellus and Lifetime said they have begun mailing letters to people who may have been affected, a process that may take until November to complete.
Affected parties include about 7 million people who are insured by Excellus, patients covered by those policies and Blue Cross Blue Shield members from other parts of the country who received medical care that was billed through Excellus, Redmond said. Excellus is the largest health insurer in the Rochester area.
The records of an additional 3.5 million people who receive services through five Lifetime units — Lifetime Health, Lifetime Care, Univera Healthcare, MedAmerica and Lifetime Benefits Solutions — also were breached by the hackers.
In a prepared statement, the FBI said it was investigating the Excellus-Lifetime intrusion and asked citizens who believe they have fallen victim to identify theft to report it at a government website, www.ic3.gov.
Evidence now shows the initial hack of the Excellus-Lifetime systems occurred on Dec. 23, 2013, Redmond said, but went undiscovered by the companies’ IT staff for many months.
At some point, Excellus and Lifetime learned that a number of other health insurers had suffered cyberattacks.
The biggest and most prominent was at Anthem Inc., which owns Blue Cross Blue Shield insurance companies in 14 states. Anthem revealed in February that personal information on as many as 79 million people had been accessed in a hacking episode that apparently began months earlier.
Consultants have been quoted in news stories linking that attack to parties in China, suggesting that the intruders were not out for immediate financial gain but were amassing personal information on prominent Americans.
The FBI said in its statement that it had briefed Excellus and other health-care insurers earlier this year about cyberattacks.
Awareness of other attacks prompted Excellus-Lifetime to hire a computer security consultant, California-based FireEye Inc., to conduct a forensic assessment of its systems. Anthem also hired FireEye to investigate its intrusion.
Once FireEye’s Mandiant incident response team began studying the Excellus-Lifetime computer systems, it found the vulnerability that the hackers had exploited. Asked why Excellus-Lifetime’s staff hadn’t found the hole earlier, Redmond said Mandiant experts told them this was consistent with the experience at other companies that experienced similar attacks.
“Protecting personal information is one of our top priorities and we take this issue very seriously,” said Christopher Booth, the corporation’s chief executive officer. “We’re making a broad range of services available today for our members, our employees and other impacted individuals to help protect their information.”
Dr. William Valenti, senior vice president and staff physician at Trillium Health, said he thought the Excellus intrusion would be “a wake-up call for all of us to make sure we deliver what we say we’ll deliver in terms of keeping people’s health information private.”
Trillium provides primary as well as mental health care, specialized services for people with HIV/AIDs and care for people who identify as lesbian, gay, bisexual or transgender.
Valenti said he’s likely to get questions from patients about what aspects of their personal or medical records may have been exposed and could potentially be used.
Trillium, like other providers, uses a coding system to tell insurers what care was provided.
“The question I would have is, are we talking about an (Excellus) database that does or does not have the patient’s diagnostic coding,” Valenti said.
Valenti said providers may need to reassure patients that they do take seriously the information that patients entrust to them. “It prompts us to take another look at the way we handle this information through our electronic records.”
Asked how MVP Health Care protects member data, James Poole, chief information officer, said in an email that the insurer takes “technical, physical and administrative measures along with ongoing testing and training to do the best we can to protect sensitive information.”
If you’re affected
Excellus BlueCross BlueShield and Lifetime Healthcareare providing two years’ free identity theft protection services through Kroll, a global leader in risk mitigation and response solutions, including credit monitoring powered by TransUnion.
Dedicated websites have been created by Excellus (excellusfacts.com) and Lifetime (lifethcfacts.com) to provide answers to frequent questions and to allow affected persons to sign up for the free credit monitoring and identity theft protection services.
A dedicated call center also has been set up for Excellus-Lifetime members and other affected individuals. Individuals who believe they are affected by this cyberattack but who have not received a letter from the companies by Nov. 9 are encouraged to call toll-free number,(877) 589-3331.