News Feature | September 11, 2015

Lessons From The Excellus Data Breach: Why Your Healthcare IT Clients Need You

By Megan Williams, contributing writer

Excellus Data Breach Lessons

Yet another massive data breach has been discovered in the healthcare sector, this time striking New York. Threat Post reported Excellus BlueCross BlueShield was hit by an attack beginning in 2013 that wasn’t uncovered until last month. Member information including Social Security numbers, addresses, account, and financial information was compromised.

Excellus has said that in addition to its members and patients, people under other BCBS plans treated in the 31-county area that they serve may also be affected. There was no evidence that any data was removed from the Excellus network.

The Delay

The breach was only discovered after Excellus took note of other breaches impacting healthcare companies and decided to have their own network checked.

According to Jeff Hill, Channel Marketing Manager, STEALTHbits,”The most compelling element of this episode is the 20 months it took Excellus to discover the breach and put a stop to it.  Twenty months exceeds the average breach discovery time — about 200 days — but in Excellus’ defense, it beats the over five years hackers ran wild on the newswire services' networks before being discovered by the SEC, not internal IT systems.  Gone are the days of smash-and-grab operations executed by impetuous, immature hackers. Of the newest weapons and tactics being deployed by today's attackers, patience may be the most dangerous development.”

Addressing The Issue

The FBI is addressing the breach according to NBC News, and is working alongside the impacted companies to determine the full extent of the breach. It is urging customers to begin monitoring their credit and report and any suspicious activity related to identity theft to its Internet Crime Complaint Center online.

The healthcare industry will continue to see breaches like these, if only because of its inherent nature. According to John Gunn, VP of Communications, VASCO Data Security International, the industry has to make a choice: “It is simple economics — hackers are attacking targets with highest value assets; retailers for payment cards, banks for funds, and healthcare organizations for social security numbers. Healthcare organizations are lagging behind and unless they greatly increase their investment in the people and security solutions necessary to protect their assets, they will remain the target of choice for criminals.”