Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/10/2015
04:30 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Another Healthcare Insurer, Excellus BCBS, Hit With Mega-Breach

Excellus Blue Cross Blue Shield and parent company Lifetime Healthcare Companies join ranks of Anthem and Premera after breach that may have exposed more than 10 million patient records.

Cyber attackers last month executed a sophisticated attack to gain unauthorized access to the IT systems of Excellus BlueCross BlueShield and its parent company, Lifetime Healthcare Companies, possibly gaining unauthorized access to more than 10 million personal records.

The Rochester, N.Y-based insurers learned Aug. 5 that cyber attackers had gained access to IT systems hosting individuals’ personal information, company officials reported Wednesday. Further investigations revealed that the initial attack occurred on Dec. 23, 2013, they said.

Company officials notified the FBI and are coordinating with the Bureau’s investigation into this attack. Excellus also hired Mandiant to conduct the investigation and help remediate the issues created by the attack on its IT systems; Mandiant has also conducted investigations at several of the other healthcare companies that were breached recently. 

So far in 2015, cyber attackers have targeted Anthem, Premera Blue Cross, LifeWise, UCLA Health System, CareFirst BCBS, and now Excellus. Security researchers have linked some of these attacks to groups in China, which would suggest the attackers are not out for financial gain but instead the collection of personal information on prominent Americans.    

[Why so many attacks on healthcare companies, starting with the Community Health Systems breach in 2014? Read "Healthcare Breaches Like Premera First Stage Of Bigger Attacks?" on Dark Reading.]

Attackers increasingly are targeting “medical databases and protected healthcare information because they contain a treasure trove of personal identifiable information that they can use or sell on the black market to feed identity theft schemes,” said Adam Levin, founder and chairman of identity theft protection firm IDT911, and former director of the New Jersey Division of Consumer Affairs.

According to the Identity Theft Resource Center (via data security provider Netsurion), medical/healthcare is the second largest sector affected by breaches in 2015, with approximately 109.6 million records compromised.

The Excellus attackers may have gained access to personal information, including names, dates of birth, Social Security numbers, mailing addresses, telephone numbers, member identification numbers, financial account information, and claims data.

However, the investigation has not determined that any such data was removed from Excellus’ systems. “We also have no evidence to date that such data has been used inappropriately,” company officials say.

“As breaches have become the third certainty in life, data must be encrypted and there needs to be multiple layers of security, like two-way authentication,” Levin says. The initial intrusion took place more than a year ago, which begs the question, ‘who was minding the store?’”

“While it’s mentioned that there’s no evidence of files being stolen, [reports] also mentioned that the files were encrypted and that attackers had gained administrative access to the files, being able to presumably view them in an unencrypted form,” says Adam Kujawa, head of malware intelligence at Malwarebytes Labs, research arm of the anti-malware company.

“It then follows that with an attack of this magnitude, being done over the course of more than a year, cybercriminals probably stole information by simply copying and pasting it from its unencrypted form on the secure network to their own systems or utilizing built-in tools to parse the information for the most valuable data,” Kujawa says.

Kujawa thinks this latest breach is just another example of the weak cyber security measures currently in place for sensitive information. “While many industries, such as banking, are stepping up to the plate, there’s still a slow adoption or even failure from industries such as healthcare,” he says.

Companies need to invest in employee training on proper security and privacy protocols, because a company is only as good as its weakest link, notes Levin. Affected members should immediately change usernames and passwords and use diverse, long, and strong passwords for their personal and financial accounts, he advises. 

“They should also check their accounts for any suspicious activity and sign up for transactional alerts from their bank.”

Excellus is providing two years of free identity theft protection services through Kroll, a global leader in risk mitigation and response solutions, including credit monitoring by TransUnion, to affected individuals, the company says.

Rutrell Yasin has more than 30 years of experience writing about the application of information technology in business and government. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
The Yellow Brick Road to Risk Management
Andrew Lowe, Senior Information Security Consultant, TalaTek,  11/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: He hits the gong anytime he sees someone click on an email link.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29128
PUBLISHED: 2020-11-26
petl before 1.68, in some configurations, allows resolution of entities in an XML document.
CVE-2020-27251
PUBLISHED: 2020-11-26
A heap overflow vulnerability exists within FactoryTalk Linx Version 6.11 and prior. This vulnerability could allow a remote, unauthenticated attacker to send malicious port ranges, which could result in remote code execution.
CVE-2020-27253
PUBLISHED: 2020-11-26
A flaw exists in the Ingress/Egress checks routine of FactoryTalk Linx Version 6.11 and prior. This vulnerability could allow a remote, unauthenticated attacker to specifically craft a malicious packet resulting in a denial-of-service condition on the device.
CVE-2020-27255
PUBLISHED: 2020-11-26
A heap overflow vulnerability exists within FactoryTalk Linx Version 6.11 and prior. This vulnerability could allow a remote, unauthenticated attacker to send malicious set attribute requests, which could result in the leaking of sensitive information. This information disclosure could lead to the b...
CVE-2020-25651
PUBLISHED: 2020-11-26
A flaw was found in the SPICE file transfer protocol. File data from the host system can end up in full or in parts in the client connection of an illegitimate local user in the VM system. Active file transfers from other users could also be interrupted, resulting in a denial of service. The highest...