Excellus BlueCross BlueShield latest health insurer to fall victim to cyberattack
On December 23 of 2013, approximately 10 million citizens of upstate New York received quite the Christmas “gift.” Unfortunately, they wouldn’t know about the existence of this “gift” for almost two more years.
Just last week it was announced that a cyberattack and data breach was perpetuated against the health insurance company, Excellus BlueCross BlueShield, which services a large population of individuals in New York State. The attack – which occurred on December 23 of 2013 – was not discovered until August 5, 2015, and not disclosed to the public for another month.
From the time it started until the time it was discovered, the breach could have given bad actors unfettered access to a laundry list of different kinds of personally identifiable information (PII) about Excellus customers.
This breach comes on the heels of multiple other high-profile breaches that have impacted health insurers and healthcare providers in recent history – including the Anthem breach and the UCLA Health breach. Unlike the Anthem breach, however, it appears that some financial information may have been compromised in this attack.
According to a statement by Excellus CEO, Christopher C. Booth, “Our investigation determined that the attackers may have gained unauthorized access to individuals’ information, which could include name, date of birth, Social Security number, mailing address, telephone number, member identification number, financial account information and claims information.”
The company is now going through the usual steps that enterprises follow when networks are breached and customer information is exposed. They’ve hired Mandiant to identify the scope of the breach and work to patch the holes that led to the breach. They’ve also reached out to customers with an offer for two free years of credit monitoring services.
Regardless of the steps taken in response to the incident, it will still cost the company in brand loyalty and the cash needed to pay for those credit monitoring and network security services. And once those security holes and flaws are patched, there is no guarantee that others won’t pop up. This is mostly due to companies embracing point security solutions, instead of implementing them at a higher level, across the enterprise.
But even with a significant and costly impact on the insurer, the effect of the breach to Excellus customers could be even worse and far more frightening.
As we’ve discussed in previous posts, the average American uses approximately 5 different passwords for their 20-plus disparate online accounts and profiles. It took almost two years for news of this breach to make it to Excellus customers. During the course of those two years, bad actors could have compromised log-in credentials or enough PII to fuel brute force hacking attempts.
These bad actors could then find other online accounts for their victims and use this information to help themselves to their bank accounts, social network profiles or any other online account these individuals have because – chances are – they used the same login credentials.
This is why one breach often begets many. It’s also why many users and online service providers need to move away from traditional login credentials and embrace a multifactor, out-of-band authentication system.
An authentication solution that can gauge location and intent – in conjunction with inherence and possession – can ensure that stolen PII or login credentials from one system can’t be used to compromise other accounts. Utilizing a system that is 100 percent out-of-band also ensures that the authentication process can’t be compromised by key-loggers, man-in-the-middle attacks or other types of cyberattacks and malware.
The recent KPMG, “Healthcare and Cybersecurity,” study showed that healthcare companies – including both providers and payers – are becoming increasingly at risk of cyberattack. It also showed that many are unprepared to protect their networks, identify attacks and respond in a timely fashion. The Excellus attack validates the findings in the report and shows why it’s more important than ever for all users and enterprises to reevaluate how they approach authentication.