Cyber Incident Victim: Excellus BlueCross BlueShield
Date:
Dec 2013
Location:
United States of America
Summary
A health insurance provider experienced a cyberattack compromising sensitive personal and financial data of approximately 10.5 million individuals, including members of its affiliated plans and those who sought medical treatment within its service network. Exposed information encompassed names, birthdates, Social Security numbers, contact details, member IDs, insurance claims, and financial account records. The intrusion persisted undetected for an extended period before discovery, prompting involvement of federal law enforcement and cybersecurity firms to investigate. Impacted individuals were offered identity protection services, though the breach left medical and financial data potentially accessible to unauthorized actors. The incident affected both current customers and individuals who had historical interactions with the organization's healthcare network.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 3 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Excellus BlueCross BlueShield breach was discovered on August 5, 2015, when the health insurer confirmed unauthorized access to its systems potentially compromising data of 10.5 million individuals. Hackers initially infiltrated Excellus servers on December 23, 2013, with the intrusion remaining undetected for over 19 months until Mandiant and FireEye security teams assisted in the investigation. The compromised data belonged to Excellus Blue Cross Blue Shield members, Lifetime Health Care customers, and members of other Blue Cross Blue Shield plans who received treatment within Excellus' 31-county service area in upstate New York. Affected records dated back to 1993 and contained highly sensitive personal information including full names, dates of birth, Social Security numbers, mailing addresses, telephone numbers, and health insurance identification numbers. Financial account details and insurance claim information were also exposed in the breach, creating substantial identity theft risks for victims. Excellus stated it could not confirm whether attackers successfully exfiltrated data from their systems despite confirming the unauthorized access. The FBI joined the investigation while the company began notifying regulatory authorities and impacted individuals about the security incident.
Excellus initiated response measures by offering two years of complimentary identity theft protection and credit monitoring services to all 10.5 million potentially affected individuals. Physical notification letters were mailed to confirmed victims with instructions to enroll in protective services, while those not receiving letters by November 9, 2015 were advised to contact Excellus directly. The breach's geographic scope was primarily limited to upstate New York residents and patients who received treatment within the network's service area, though business partners who shared financial or Social Security information with Excellus were also impacted. No medical records or clinical treatment details were confirmed as compromised in the disclosure. The extended timeframe between initial compromise and detection highlighted significant security monitoring deficiencies, with the organization providing no explanation for the nearly two-year gap in identifying the intrusion. Public disclosure occurred approximately three weeks after discovery through regulatory filings and direct consumer notifications, though the company did not disclose whether ransomware, extortion attempts, or specific attacker motivations were involved in the incident.