Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/10/2015
04:30 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Another Healthcare Insurer, Excellus BCBS, Hit With Mega-Breach

Excellus Blue Cross Blue Shield and parent company Lifetime Healthcare Companies join ranks of Anthem and Premera after breach that may have exposed more than 10 million patient records.

Cyber attackers last month executed a sophisticated attack to gain unauthorized access to the IT systems of Excellus BlueCross BlueShield and its parent company, Lifetime Healthcare Companies, possibly gaining unauthorized access to more than 10 million personal records.

The Rochester, N.Y-based insurers learned Aug. 5 that cyber attackers had gained access to IT systems hosting individuals’ personal information, company officials reported Wednesday. Further investigations revealed that the initial attack occurred on Dec. 23, 2013, they said.

Company officials notified the FBI and are coordinating with the Bureau’s investigation into this attack. Excellus also hired Mandiant to conduct the investigation and help remediate the issues created by the attack on its IT systems; Mandiant has also conducted investigations at several of the other healthcare companies that were breached recently. 

So far in 2015, cyber attackers have targeted Anthem, Premera Blue Cross, LifeWise, UCLA Health System, CareFirst BCBS, and now Excellus. Security researchers have linked some of these attacks to groups in China, which would suggest the attackers are not out for financial gain but instead the collection of personal information on prominent Americans.    

[Why so many attacks on healthcare companies, starting with the Community Health Systems breach in 2014? Read "Healthcare Breaches Like Premera First Stage Of Bigger Attacks?" on Dark Reading.]

Attackers increasingly are targeting “medical databases and protected healthcare information because they contain a treasure trove of personal identifiable information that they can use or sell on the black market to feed identity theft schemes,” said Adam Levin, founder and chairman of identity theft protection firm IDT911, and former director of the New Jersey Division of Consumer Affairs.

According to the Identity Theft Resource Center (via data security provider Netsurion), medical/healthcare is the second largest sector affected by breaches in 2015, with approximately 109.6 million records compromised.

The Excellus attackers may have gained access to personal information, including names, dates of birth, Social Security numbers, mailing addresses, telephone numbers, member identification numbers, financial account information, and claims data.

However, the investigation has not determined that any such data was removed from Excellus’ systems. “We also have no evidence to date that such data has been used inappropriately,” company officials say.

“As breaches have become the third certainty in life, data must be encrypted and there needs to be multiple layers of security, like two-way authentication,” Levin says. The initial intrusion took place more than a year ago, which begs the question, ‘who was minding the store?’”

“While it’s mentioned that there’s no evidence of files being stolen, [reports] also mentioned that the files were encrypted and that attackers had gained administrative access to the files, being able to presumably view them in an unencrypted form,” says Adam Kujawa, head of malware intelligence at Malwarebytes Labs, research arm of the anti-malware company.

“It then follows that with an attack of this magnitude, being done over the course of more than a year, cybercriminals probably stole information by simply copying and pasting it from its unencrypted form on the secure network to their own systems or utilizing built-in tools to parse the information for the most valuable data,” Kujawa says.

Kujawa thinks this latest breach is just another example of the weak cyber security measures currently in place for sensitive information. “While many industries, such as banking, are stepping up to the plate, there’s still a slow adoption or even failure from industries such as healthcare,” he says.

Companies need to invest in employee training on proper security and privacy protocols, because a company is only as good as its weakest link, notes Levin. Affected members should immediately change usernames and passwords and use diverse, long, and strong passwords for their personal and financial accounts, he advises. 

“They should also check their accounts for any suspicious activity and sign up for transactional alerts from their bank.”

Excellus is providing two years of free identity theft protection services through Kroll, a global leader in risk mitigation and response solutions, including credit monitoring by TransUnion, to affected individuals, the company says.

Rutrell Yasin has more than 30 years of experience writing about the application of information technology in business and government. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
IoT Vulnerability Disclosure Platform Launched
Dark Reading Staff 10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27673
PUBLISHED: 2020-10-22
An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. Guest OS users can cause a denial of service (host OS hang) via a high rate of events to dom0, aka CID-e99502f76271.
CVE-2020-27674
PUBLISHED: 2020-10-22
An issue was discovered in Xen through 4.14.x allowing x86 PV guest OS users to gain guest OS privileges by modifying kernel memory contents, because invalidation of TLB entries is mishandled during use of an INVLPG-like attack technique.
CVE-2020-27675
PUBLISHED: 2020-10-22
An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. drivers/xen/events/events_base.c allows event-channel removal during the event-handling loop (a race condition). This can cause a use-after-free or NULL pointer dereference, as demonstrated by a dom0 crash vi...
CVE-2020-3996
PUBLISHED: 2020-10-22
Velero (prior to 1.4.3 and 1.5.2) in some instances doesn’t properly manage volume identifiers which may result in information leakage to unauthorized users.
CVE-2020-15680
PUBLISHED: 2020-10-22
If a valid external protocol handler was referenced in an image tag, the resulting broken image size could be distinguished from a broken image size of a non-existent protocol handler. This allowed an attacker to successfully probe whether an external protocol handler was registered. This vulnerabil...