Excellus BlueCross BlueShield Data Breach
Kessler Topaz Meltzer & Check (“Kessler Topaz”) Announces Investigation of Excellus BlueCross BlueShield Concerning Recent Data Breach
Once again, millions of consumers are being faced with bad news as health insurer Excellus Blue Cross Blue Shield (“Excellus”) announced the discovery of a major data breach in their systems. According to reports, over 10 million subscribers to Excellus and its partner services, have had their personal information stolen. The stolen data includes some of the most personal information, including medical records and social security numbers, and credit card numbers. Excellus estimates that any of the 10 – 10.5 million individuals who have received health care in its service area are at risk.
Kessler Topaz Meltzer & Check, LLP is investigating potential claims on behalf of Excellus customers who may have had their identity stolen. Specifically, Kessler Topaz Meltzer & Check, LLP is investigating whether Excellus was negligent, and whether that negligence led to the data breach that compromised the personal information of millions of its customers.
About Excellus Blue Cross Blue Shield
Excellus is headquartered in Rochester, New York. According to its website, Excellus is part of a $6.6 billion family of companies that finances and delivers health care services across upstate New York and long term care insurance nationwide. The company claims that collectively, the enterprise provides health insurance to about 1.6 million members and employs about 6,000 New Yorkers.
The company’s prior BlueCross BlueShield operations were known as: BlueCross BlueShield of Central New York, BlueCross BlueShield of the Rochester Area, and BlueCross BlueShield of Utica-Watertown. Today, Excellus maintains a strong local presence through four regional headquarters and additional field offices in: Central New York Region, based in Syracuse with an additional office in Watertown; Central New York Southern Tier Region, based in Elmira with an additional office in Binghamton; Rochester Region, based in Rochester; and Utica Region, based in Utica with additional offices in Oneonta and Plattsburgh.
The following subscribers to Excellus affiliates may have also been affected by the breach:
Individuals insured by Excellus BlueCross and BlueShield, including:
Subscribers of BlueCross Blue Shield of Central New York at any point since 1983
Subscribers of BlueCross and BlueShield of the Rochester Area at any point since 1995
Subscribers of BlueCross BlueShield of Utica-Watertown at any point since 1980
Subscribers of Excellus BlueCross BlueShield at any point since 2002
Individuals insured through other Lifetime Health Companies affiliates, including:
Subscribers of Lifetime Benefit Solutions at any point since 2005
Subscribers of Lifetime Health Medical Group at any point since 1982
Subscribers of MedAmerica Companies at any point since 1987
Subscribers of Univera Healthcare at any point since 1995
BlueCross and Blue Shield members who have received medical care billed through Excellus
Alleged Wrongful Conduct
Excellus’ president and Chief Executive Officer, Christopher Booth, issued a statement confirming that “attackers may have gained unauthorized access to individuals’ information, which could include name, date of birth, Social Security number, mailing address, telephone number, member identification number, financial account information and claims information.”
According to reports, the intrusion into the Excellus systems may have started nearly two years ago, with hackers apparently first getting into the systems on December 23, 2013. However, Excellus allegedly only discovered the hack on August 5, 2015. Health care companies, such as Excellus, are especially tempting targets for cyber attacks, as their files contain large amounts of personal information.
Excellus claims that the information was encrypted, however that may provide no benefit as the hackers may have had administrative access to the company’s network. This means the hackers could be able to decrypt the information the same way an actual internal systems administrator could.