Highmark customers' data may have been exposed in Blue Cross cyberattack
Highmark Inc. insurance customers may have lost personal information to a cyber attack on a fellow Blue Cross carrier in New York, the Downtown-based insurer said Friday.
The data breach at Excellus BlueCross BlueShield, the latest in a string of attacks targeting health care companies, may have allowed hackers to access names, dates of birth, Social Security numbers, addresses and other sensitive data belonging to more than 10 million people.
The FBI is investigating the incident and urged Excellus and other Blue Cross customers to report any suspected fraud.
The attack highlights what experts say are weaknesses in the health care industry's data defenses and its slow response to the growing threat of hackers.
“Health care records are essentially the treasure trove, the most valuable records that they (criminals) can take,” said Joe Loomis, CEO of CyberSponse, a cyber security firm in Scottsdale, Ariz.
Records maintained by health insurers and hospital systems are the most comprehensive data collections on individuals that exist, Loomis said. They're even more valuable than tax documents, he said, and can be used for a variety of frauds, including identity theft, credit card fraud, false tax returns and fake medical billing.
As many as 1 million customers of Highmark and other Blue Cross health plans who used medical services in Excellus' service area between 1993 and 2013 had records in Excellus' compromised database, Highmark said. The state's largest health insurer said it did not know how many of its members were affected.
“Highmark is in contact with Excellus BCBS to gain additional insight about this issue and learn how it might impact our members,” the insurer said in a statement.
The company said privacy of its members information “remains a top priority” and that it has been stepping up defenses of its computer systems to prevent hacks.
The breach at Excellus is the largest at a health insurer since hackers gained access to records of about 80 million insurance customers earlier this year at Anthem Inc., the nation's largest Blue Cross insurer. More than 52,000 Highmark members had their personal information compromised in that attack.
Criminals are increasingly targeting databases at health insurers and hospital systems because they contain valuable information that can fetch as much as $500 per person on the black market, according to RSA, a computer security company in Bedford, Mass. By comparison, credit card numbers that are often the target of cyber thefts at large retailers are worth about $1 each.
Not only are they valuable, Loomis said, but the records also may not have been as well-protected as financial data because many leaders of health care organizations are unaware of the threats they face from hackers.
“I really am concerned about the health care industry, because their leaders aren't familiar with technology and the threats in the landscape,” he said.
Despite this growing problem, the health care industry is not suffering harm to its reputation or a loss of business, said Gene Grabowski, a crisis communications expert and partner at kglobal, a Washington consulting firm.
“There would be more of a risk and more damage done if there was more competition in the field” of health care companies, Grabowski said. “There are only a handful of companies that have the majority of the policyholders.”
And while customers who have had their credit card information stolen from computer systems at large retailers can stop using credit cards and pay cash, it's very difficult for people to use a health care system without providing personal, financial and medical data, Grabowski said.
“That adds to the growing sense of resignation that many people have on this issue,” he said.
But the Blue Cross Blue Shield Association, which licenses the nation's Blue Cross insurance companies, said it is taking the problem seriously. According to a statement from the association, it has more than 300 security and privacy experts working to find vulnerabilities in its members' systems and fix them.
“We are also going above and beyond standard practices by engaging a leading cyber security forensic firm to proactively assess the data security of every BCBS company,” the statement said.
It was one of these assessments that uncovered the breach at Rochester, N.Y.-based Excellus. The insurer said it learned of the cyber attack on Aug. 5 from experts hired to perform a forensic assessment of its computer systems. A subsequent investigation found that the initial hack occurred in December 2013.
“We are taking additional actions to strengthen and enhance the security of our IT systems moving forward,” the company said in a statement.
Excellus also said it was offering free identity theft protection services to those affected.
“The investigation has not determined that any such data was removed from our systems, and there is no evidence to date that any data has been used inappropriately,” Excellus spokesman Jim Redmond said.
Alex Nixon is a Trib Total Media staff writer. Reach him at 412-320-7928. Reuters contributed to this report.