In December 2013, Excellus BlueCross BlueShield, a health insurer, experienced a data breach that was discovered in August 2015. The breach potentially exposed personal information. The incident led to a settlement with the Office for Civil Rights at the U.S. Department of Health and Human Services and a class-action lawsuit.

How many accounts were compromised?

The breach compromised the personal information of approximately 10.5 million individuals.

What data was leaked?

The data exposed in the breach included names, addresses, birthdates, Social Security numbers, health plan ID numbers, financial account information, claims data, clinical information, and credit card numbers.

How was Excellus BlueCross BlueShield hacked?

In the Excellus BlueCross BlueShield breach, hackers gained access to administrative controls, rendering encryption ineffective. The breach remained undetected from December 2013 until August 2015, when cybersecurity firm Mandiant discovered the attack during a forensic assessment. The company has since taken steps to close the vulnerability and strengthen its IT systems.

Excellus BlueCross BlueShield's solution

In response to the hacking incident, Excellus BlueCross BlueShield took several measures to enhance their security and prevent future breaches. These actions included closing the vulnerability, remediating their IT systems, and working with cybersecurity firm Mandiant to strengthen and enhance the security of their IT systems. Additionally, Excellus developed a strategy to dispose of records containing personal and protected health information within one year of the original retention period, increased its minimum information security budget, and implemented specific security measures to make its network more secure. The company also offered affected individuals two years of free credit monitoring and identity theft monitoring services.

How do I know if I was affected?

Excellus BlueCross BlueShield reached out to affected users and offered them two years of free credit monitoring and identity theft monitoring services. If you believe you were affected by the breach but did not receive a notification, you can visit HaveIBeenPwned to check your credentials.

What should affected users do?

In general, affected users should:

• Change Your Passwords: Immediately update your passwords for any accounts that may have been compromised. Make sure the new passwords are strong and unique, not previously used on any other platform.

• Reset Passwords for Other Accounts: If you've used the same or similar passwords for other online accounts, reset those as well. This is crucial as attackers often try using stolen passwords on multiple sites.

• Enable Two-Factor Authentication (2FA): Activate 2FA on any affected accounts. Consider enabling this additional security feature on all other important online accounts to significantly reduce the risk of unauthorized access.

For more specific help and instructions related to Excellus BlueCross BlueShield's data breach, please contact Excellus BlueCross BlueShield's support directly.

Where can I go to learn more?

If you want to find more information on the Excellus BlueCross BlueShield data breach, check out the following news articles:

• Health Insurer Pays $5.1 Million to Settle Data Breach Affecting

• Excellus BlueCross BlueShield Hacked

• Excellus, BCBSA Reach Settlement Following 2015 Data Breach