This morning news broke that another member of the Blue Cross family, this time Excellus, was hacked, exposing approximately 10.5 million records. The hack originally began December 23, 2013, but was not discovered until August 5, 2015. In other words, Blue Cross had a persistent, ongoing vulnerability that was actively exploited for almost two (2) years.

The attack on Excellus compromised the following information: Name, DOB, SSN, mailing address, telephone number, member ID, financial account information and claims information. Amazingly, the attack also exposed records of individuals who were not Excellus members, but belonged to other Blue Cross plans, including but not limited to: any BCBS client who received services in New York; BCBS Central New York; BCBS Rochester; and BCBS Utica-Watertown.

According to BCBS, the hacking event occurred, but they are not sure whether any data was taken. Honestly, how is that even possible, unless you are not monitoring network traffic or logging access and downloads. Further, while the information was encrypted (according to BCBS), there is a rather obtuse statement from them saying that the hackers had administrative access, so they had access.

On top of the above exposures of personal data, the hack also exposed the information of business partners and vendors. Specifically, those who provided Excellus with financial account information and SSN’s.

Let’s recap the banner year for BCBS and its affiliates.

Total Number of Breaches Attributable to BCBS in 2015: 103,303,208

BCBS also has the dubious honor of now holding the top three spots for largest PHI breaches. Here is a breakdown of the breaches spread across Anthem, Premera, and several smaller BCBS entities. This will be updated to include the most recent Excellus hack once the data is available. At a certain point, it begs the question of what is going on at BCBS that has led to the largest three PHI breaches in US history, all occurring in a single year? This is not to mention how a company’s risk analysis approved of cross company data on servers, non-segregated networks, often no encryption, and apparently no network monitoring for suspicious activity.

If you are impacted and need more information, here is the link to the Excellus Breach Response page.

If you have not read my post on the FTC’s guidelines on data security, go read it now. It’s a great place to start on determining whether your data security plan has a good foundation.

Prepare now, or pay later.

/s/ HH @LegalLevity