Data breach exposes 10M health records from New York insurer

Hack of Excellus is the latest in a string of attacks that, experts say, show records are more valuable than credit card numbers on the black market.

Laura Hautala
Laura Hautala
Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
3 min read

Electronic intruders accessed 10.5 million health records from members of Excellus BlueCross BlueShield insurance plans, the company announced Wednesday. Thom Lang/Corbis

More than 10 million records were exposed in a data breach of health insurer Excellus BlueCross BlueShield and a partner company. That's only a fraction of the size of a similar hack earlier this year, but it raises the question, "Again?"

The hack of Rochester, New York-based Excellus follows not just the breach of about 80 million health records from Anthem in January, but several smaller attacks against health care databases in California and New York. In July, the UCLA Health System announced hackers had accessed 4.5 million of its patient records. In June, an employee of a hospital called Montefiore Medical Center in New York was indicted for helping to steal 12,000 health care records.

Excellus revealed the breach on Wednesday, telling customers they would receive identity-monitoring services and that the FBI is investigating the crime. The records included Social Security numbers and other identifying information, as well as claims members made to pay for medical care.

"Protecting personal information is one of our top priorities and we take this issue very seriously," Christopher Booth, Excellus' chief executive officer, said in a statement. "We have already taken aggressive steps to remediate our IT system of issues raised by this cyberattack."

All these hacks together show that stealing health care records is a very attractive crime. Security experts say the information is more valuable than credit card numbers on the black markets where hackers sell personal information.

It's become such a large problem that law enforcement began warning health care industry companies last year that they may face an increased risk of data breach attacks. Following a hack on US hospital group Community Health Systems in August 2014, the FBI issued a flash warning to companies that it had observed "malicious actors targeting healthcare related systems," perhaps for the purpose of obtaining healthcare information or personal identification information, according to Reuters.

The records can be used for a cornucopia of fraudulent actions, from getting health care under someone else's name to income tax fraud. With your Social Security number, date of birth and other personal information, an identity thief could open bank or credit card accounts. Finally, shady advertisers can use the information to target you with ads, some malicious, based on your medical history.

While not a safeguard against all those potential problems, Excellus is providing two years of free identity-theft protection via security company Kroll and credit monitoring company TransUnion.

Adam Levin, founder and chairman of IDT911, a competitor to Kroll, said consumers who receive these free services should take advantage of them as fully as possible but still stay on top of their own credit. Consumers still might catch fraudulent activity that credit monitoring systems don't, he said.

For example, thieves often sell stolen credit card numbers based on the ZIP code, so buyers can use them in the same region where the victim lives, avoiding the red flags banks and credit-monitoring systems raise when cards are suddenly used to make purchases in a far-off location.

"You will know [it's fraud]," he said, "because you'll go, wait a minute, I wasn't there yesterday."