Excellus BlueCross BlueShield, a health insurance provider in upstate New York, said a recently discovered data breach allowed hackers to potentially compromise the personal information of 10.5 million people.
The Rochester-based insurer said Wednesday that its IT systems were targeted by “a sophisticated cyberattack” in December that affected upwards of 7 million patients and possibly 3.5 million others insured through its parent group, Lifetime Healthcare Companies.
Names, birthdates, Social Security numbers, mailing addresses, telephone numbers, financial account records and clinical information of those individuals may have been breached in the attack, the company said.
In a statement released Wednesday, the company said it became aware of the hack on Aug. 5 after it ordered a security firm to conduct a forensic assessment of its network amid reports of similar breaches in the health care industry.
“Protecting personal information is one of our top priorities and we take this issue very seriously,” CEO Christopher Booth said in a statement. “We’re making a broad range of services available today for our members, our employees and other impacted individuals to help protect their information.”
The vulnerability in its system that was exploited by hackers has since been breached, and the insurer said the FBI was notified and has launched an investigation into the attack. Excellus said it began mailing letters to affected individuals this week and will provide two years of complimentary identity theft protection services, including credit monitoring, to affected customers.
According to a list of hacks maintained by the Department of Health and Human Services, the number of affected parties puts the Excellus breach among the top 20 worst cyberattacks on the health care industry in the digital era. Anthem, another Blue Cross Blue Shield affiliate, said in February that hackers had compromised roughly 80 million of its own user records.
Excellus is the largest health insurer in the Rochester region and has customers in 31 counties across New York. Affiliate companies believed to have been breached include Lifetime Health, Lifetime Care, Univera Healthcare, MedAmerica and Lifetime Benefits Solutions.