New York state health insurer Excellus BlueCross BlueShield announced Wednesday, September 9, 2015, that it was the victim of a cyber-attack that allowed hackers access to personal information of approximately 10.5 million customers. Excellus BlueCross BlueShield and its parent company Lifetime Healthcare stated the breach occurred as early as December 23, 2013 and exposed client names, dates of birth, social security number, mailing addresses, phone numbers, member identification numbers, financial account information and claim information.
The discovery of this data breach happened just a few months after several other large-scale data breaches of healthcare insurers were announced earlier this year. Anthem Inc. reported in February 2015 that the personal information of approximately 80 million current and former customers was compromised after hackers accessed its online database. A few months after that, Medical Informatics Engineering, Inc. (MIE) announced a similar breach occurred in their data base affecting approximately 4 million people.
Lawsuits have been filed against Anthem and MIE for failing to protect sensitive customer information. Both of these insurers have offered free identity theft protection to the millions of customers whose information was compromised, however, many experts question if that is adequate protection against financial loss and medical fraud.