Excellus cyberattack may have exposed 7 million customers’ personal information

The personal information could include an individual’s name, date of birth; Social Security number; mailing address; telephone number; member-identification number; financial-account information; and claims information, Excellus said.


Univera Healthcare, a Lifetime Healthcare affiliate, is offering assistance to anyone who may’ve been impacted.

“We want you to know that protecting your information is incredibly important to us, as is helping you through this situation with the information and support you need”, CEO Christopher C. Booth wrote in a message to members as part of the breach announcement.

Excellus BlueCross BlueShield, a health insurer providing service in western New York state, said Wednesday that it and its affiliates were recently hit with a data breach in which hackers may have accessed the personal information of 10.5 million customers.

The companies immediately notified the Federal Bureau of Investigation and took steps to close the vulnerability that allowed hackers access to their systems. The company has a 31-county service area across upstate, including in central New York and the Southern Tier.

“The most compelling element of this episode is the 20 months it took Excellus to discover the breach and put a stop to it”, said Jeff Hill, Channel Marketing Manager for STEALTHbits, in a statement. The Excellus BCBS data breach affected approximately 7 million Excellus patients and 3.5 million members of its non-Blues subsidiary, Lifetime Healthcare Cos.

She said Excellus is cooperating with the FBI’s investigation.

The company’s investigation found that initial attack occurred on December 23, 2013, according to its website.

To date, almost 143.8 million people have had their protected health information compromised in a HIPAA privacy or security breach, according to data from the Department of Health and Human Services.

Valenti said he’s likely to get questions from patients about what aspects of their personal or medical records may have been exposed and could potentially be used.

Excellus BCBS began to mail letters to affected individuals Wednesday and is providing two years of free identity theft protection services through Kroll, a global leader in risk mitigation and response solutions, including credit monitoring powered by TransUnion.

The statement said that there is no evidence that the plundered information has been exploited in the wild, but that a couple of years of protection is on offer.


A dedicated call center also has been set up for Excellus-Lifetime members and other affected individuals.

NY Health Insurer Hit With Hack Potentially Affecting 10.5M