Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/10/2015
04:30 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Another Healthcare Insurer, Excellus BCBS, Hit With Mega-Breach

Excellus Blue Cross Blue Shield and parent company Lifetime Healthcare Companies join ranks of Anthem and Premera after breach that may have exposed more than 10 million patient records.

Cyber attackers last month executed a sophisticated attack to gain unauthorized access to the IT systems of Excellus BlueCross BlueShield and its parent company, Lifetime Healthcare Companies, possibly gaining unauthorized access to more than 10 million personal records.

The Rochester, N.Y-based insurers learned Aug. 5 that cyber attackers had gained access to IT systems hosting individuals’ personal information, company officials reported Wednesday. Further investigations revealed that the initial attack occurred on Dec. 23, 2013, they said.

Company officials notified the FBI and are coordinating with the Bureau’s investigation into this attack. Excellus also hired Mandiant to conduct the investigation and help remediate the issues created by the attack on its IT systems; Mandiant has also conducted investigations at several of the other healthcare companies that were breached recently. 

So far in 2015, cyber attackers have targeted Anthem, Premera Blue Cross, LifeWise, UCLA Health System, CareFirst BCBS, and now Excellus. Security researchers have linked some of these attacks to groups in China, which would suggest the attackers are not out for financial gain but instead the collection of personal information on prominent Americans.    

[Why so many attacks on healthcare companies, starting with the Community Health Systems breach in 2014? Read "Healthcare Breaches Like Premera First Stage Of Bigger Attacks?" on Dark Reading.]

Attackers increasingly are targeting “medical databases and protected healthcare information because they contain a treasure trove of personal identifiable information that they can use or sell on the black market to feed identity theft schemes,” said Adam Levin, founder and chairman of identity theft protection firm IDT911, and former director of the New Jersey Division of Consumer Affairs.

According to the Identity Theft Resource Center (via data security provider Netsurion), medical/healthcare is the second largest sector affected by breaches in 2015, with approximately 109.6 million records compromised.

The Excellus attackers may have gained access to personal information, including names, dates of birth, Social Security numbers, mailing addresses, telephone numbers, member identification numbers, financial account information, and claims data.

However, the investigation has not determined that any such data was removed from Excellus’ systems. “We also have no evidence to date that such data has been used inappropriately,” company officials say.

“As breaches have become the third certainty in life, data must be encrypted and there needs to be multiple layers of security, like two-way authentication,” Levin says. The initial intrusion took place more than a year ago, which begs the question, ‘who was minding the store?’”

“While it’s mentioned that there’s no evidence of files being stolen, [reports] also mentioned that the files were encrypted and that attackers had gained administrative access to the files, being able to presumably view them in an unencrypted form,” says Adam Kujawa, head of malware intelligence at Malwarebytes Labs, research arm of the anti-malware company.

“It then follows that with an attack of this magnitude, being done over the course of more than a year, cybercriminals probably stole information by simply copying and pasting it from its unencrypted form on the secure network to their own systems or utilizing built-in tools to parse the information for the most valuable data,” Kujawa says.

Kujawa thinks this latest breach is just another example of the weak cyber security measures currently in place for sensitive information. “While many industries, such as banking, are stepping up to the plate, there’s still a slow adoption or even failure from industries such as healthcare,” he says.

Companies need to invest in employee training on proper security and privacy protocols, because a company is only as good as its weakest link, notes Levin. Affected members should immediately change usernames and passwords and use diverse, long, and strong passwords for their personal and financial accounts, he advises. 

“They should also check their accounts for any suspicious activity and sign up for transactional alerts from their bank.”

Excellus is providing two years of free identity theft protection services through Kroll, a global leader in risk mitigation and response solutions, including credit monitoring by TransUnion, to affected individuals, the company says.

Rutrell Yasin has more than 30 years of experience writing about the application of information technology in business and government. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Lessons from COVID-19 Cyberattacks: Where Do We Go Next?
Derek Manky, Chief of Security Insights and Global Threat Alliances, FortiGuard Labs,  7/2/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-3931
PUBLISHED: 2020-07-08
Buffer overflow exists in Geovision Door Access Control device family, an unauthenticated remote attacker can execute arbitrary command.
CVE-2020-15600
PUBLISHED: 2020-07-07
An issue was discovered in CMSUno before 1.6.1. uno.php allows CSRF to change the admin password.
CVE-2020-15599
PUBLISHED: 2020-07-07
Victor CMS through 2019-02-28 allows XSS via the register.php user_firstname or user_lastname field.
CVE-2020-8916
PUBLISHED: 2020-07-07
A memory leak in Openthread's wpantund versions up to commit 0e5d1601febb869f583e944785e5685c6c747be7, when used in an environment where wpanctl is directly interfacing with the control driver (eg: debug environments) can allow an attacker to crash the service (DoS). We recommend updating, or to res...
CVE-2020-12821
PUBLISHED: 2020-07-07
Gossipsub 1.0 does not properly resist invalid message spam, such as an eclipse attack or a sybil attack.