Health insurance company Excellus said hackers broke into its servers and may have made off with the personal details of 10.5 million people.
The insurance firm said the information belongs to customers who lived in or sought treatment in the upstate New York area. The breach exposed the personal information of 7 million Excellus Blue Cross Blue Shield (BCBS) customers and 3.5 million Lifetime Health Care customers.
The data was from patients who were treated in the Excellus hospital network in 31 counties since 1993. Excellus said it has not yet determined if the exposed data was actually copied by the hackers.
While the breach is believed to be limited to those in the upstate New York area, the information exposed is extremely sensitive. It includes member names, dates of birth, Social Security numbers, mailing addresses, telephone numbers, and member identification numbers. Also at risk are insurance claim and financial account details for the 10.5 million patients in the Excellus and Lifetime Health Care insurance providers in the area.
"This incident also affected members of other Blue Cross Blue Shield plans who sought treatment in the 31-county upstate New York service area of Excellus BCBS," Excellus said.
"Individuals who do business with us and provided us with their financial account information or Social Security number are also affected."
Excellus said the breach initially occurred on December 23, 2013, but was only discovered by the company on August 5 of this year. Excellus said it was working with the FBI to investigate the incident. Security firms FireEye and Mandiant were also called in to investigate.
For the 10.5 million people whose data has been exposed, Excellus said it will be providing two years of free identity theft and credit monitoring. Those whose data was stolen will receive letters from Excellus with further information, and those who believe they were impacted but have not received a letter by November 9 should contact Excellus directly.
Those services will likely provide little comfort, however, to the 10.5 million people who now likely have their highly personal medical information in the hands of hackers. ®