Excellus BlueCross Blue Shield cyber attack
September 15, 2015
Blue Shield of California is aware of the Excellus BlueCross BlueShield cyber attack and we are working to gather more information to understand the scope of this issue.
Excellus BlueCross BlueShield is separate and independent from Blue Shield of California and does not operate in the state, though Blue Shield of California members who received medical care in upstate New York through the BlueCard® Program could be affected. Members who believe they might be affected should visit www.excellusfacts.com for updates.
Blue Shield of California IT systems remain unaffected by the Excellus BlueCross BlueShield cyber attack. As we continue to gather information, in conjunction with the Blue Cross and Blue Shield Association, safeguarding the security of our systems and our members’ data remains our priority.
For additional information and assistance about the Excellus BlueCross BlueShield situation, visit www.excellusfacts.com or call their dedicated toll-free phone line at (877) 589-3331.
NOTICE OF CYBERATTACK AFFECTING EXCELLUS BLUECROSS BLUESHIELD
On August 5, 2015, Excellus BlueCross BlueShield learned that cyber attackers had executed a sophisticated attack to gain unauthorized access to our Information Technology (IT) systems. Our investigation further revealed that the initial attack occurred on December 23, 2013. As part of our own investigation, we notified the FBI and are coordinating with the Bureau’s investigation into this attack.
We worked closely with Mandiant, one of the world’s leading cyber security firms, to conduct our investigation and to remediate the issues created by the attack on our IT systems. We are taking additional actions to strengthen and enhance the security of our IT systems moving forward.
Our investigation determined that the attackers may have gained unauthorized access to individuals’ information, which could include name, date of birth, Social Security number, mailing address, telephone number, member identification number, financial account information and claims information. This incident also affected members of other Blue Cross Blue Shield plans who sought treatment in the 31 county upstate New York service area of Excellus BCBS. Individuals who do business with us and provided us with their financial account information or Social Security number are also affected.
The investigation has not determined that any such data was removed from our systems. We also have no evidence to date that such data has been used inappropriately.
We recognize this issue can be frustrating and we are taking steps to protect you. We are beginning to mail letters to affected individuals today, September 9. We are providing two years of free identity theft protection services through Kroll, a global leader in risk mitigation and response solutions, including credit monitoring powered by TransUnion, to affected individuals. We also have established a dedicated call center for affected individuals to contact with any questions. Individuals who believe they are affected by this incident but who have not received a letter by November 9, are encouraged to call 1-877-589-3331, Monday through Friday, between 8:00 a.m. and 8:00 p.m. Eastern Time (closed on U.S. observed holidays).
We sincerely regret the frustration and concern this incident may cause. We want you to know that protecting your information is incredibly important to us, as is helping you through this situation with the information and support you need.