In the third major healthcare data breach of 2015, Excellus Blue Cross Blue Shield (BCBS), an upstate New York health care company, reported that the records of nearly 10.5 million of its customers had been exposed in a sophisticated attack on its information technology systems.  A statement issued by the company stated that the breach was discovered on August 9, 2015, but that its internal investigation revealed that the initial breach had occurred on December 23, 2013.  The statement further noted that the hackers snatched social security numbers, member names, dates of birth, medical claims data, financial account information, addresses, and phone numbers.

Following similar attacks on Anthem and Premera Blue Cross earlier this year, the BCBS attack brings the number of persons whose electronic protected health information (ePHI) has been exposed during 2015 to nearly 110 million.

As evidenced by the BCBS, Anthem, and Premera breaches, health providers are proving to be both easy and data-rich targets for hackers.  Outdated technology, insecure network-enabled devices, complex data systems with multiple points of entry, and an overall lack of information security procedures and processes are making health systems particularly vulnerable to cyber attacks.

The BCBS breach serves as yet another glaring example of the need for constant vigilance of corporate IT systems, particularly in those sectors that maintain data subject to HIPAA and HITECH. Given the potential legal liability for non-compliance, and the increased focus on enforcement seen in the last several years, companies must count data security as among their highest priorities.