The latest major health insurance data breach of 2015 reported by Excellus BlueCross BlueShield is considered one of the top 20 worst reported breaches of a healthcare organization.  The attack affected about 7 million Excellus members and 3.5 million members of its subsidiary, Lifetime Healthcare Cos. and potentially exposed individual names, addresses, birth dates, Social Security numbers, member identification numbers, financial account information, claims data and clinical information, which would likely include medical data.

Significantly, the incident occurred two years ago but was only discovered in August. Specifically in response to previous security breaches at other insurance companies, Excellus hired a leading cybersecurity firm to conduct a forensic assessment of its IT systems.  That investigation revealed that hackers initially gained access to highly personal information on December 23, 2013. This breach is alarming because Excellus BlueCross BlueShield’s considerable efforts to safeguard the privacy of personal information did not prevent the breach.  According to Excellus, the company encrypted the sensitive information, but the encryption method did not prevent hackers from accessing the information.  Hackers were able to circumvent the company’s encryption by accessing decryption keys available to administrators. The Excellus breach was discovered because the company was proactive in finding and addressing data privacy and security vulnerabilities.  This discovery raises the question, “What breaches have occurred in other organizations that have not been discovered simply because they are not looking?”  It is another reminder for organizations to be constantly vigilant and to scrutinize systems for vulnerabilities.   Organizations that own, license or maintain personal information should implement and follow stringent security defensive measures, consider hiring third party forensic experts, and limit liability with appropriate cyber insurance.