Excellus BlueCross BlueShield announced on Wednesday that an attack on its systems has potentially exposed the personal information of more than 10 million plan members.
The New York-based health insurer said it recently became aware that attackers had executed a “sophisticated attack,” which had initially occurred on December 23, 2013.
The data breached may have included individuals’ names, birthdates, Social Security numbers, mailing addresses, telephone numbers and member ID numbers, as well as patients’ claims and financial account information.
According to a company spokesman, the hackers gained access to administrative controls, which allowed them to access the sensitive information of members of patients.
Nonetheless, Excellus said its investigation has not determined that any such data was removed from our systems.
“We have no evidence to date that such data has been used inappropriately,” said the company.
The incident affects an estimated 7 million Excellus members, as well as an additional 3.5 million individuals served by Lifetime Healthcare Companies, including Lifetime Health, Lifetime Care, Univera Healthcare, MedAmerica and Lifetime Benefits Solutions.
Excellus stated it has notified the FBI and is coordinating with the Bureau’s investigation into the attack.
“We are taking additional actions to strengthen and enhance the security of our IT systems moving forward,” said the company.
Affected individuals will be notified by mail, and are offered two years of complimentary identity theft protection services, including credit monitoring.
“Individuals contacted by the companies should take steps to monitor and safeguard their personally identifiable information and report any suspected instances of identity theft to the FBI’s Internet Crime Complaint Center,” said the FBI in a statement.
The incident follows the massive breach that hit the second-largest U.S. health insurer Anthem Inc, which compromised the records of nearly 80 million customers earlier this year.