Excellus Blue Cross Blue Shield Breach Yet Another Sign To Step Up Health-Care Security Investment

If health-care businesses managed to ignore the Anthem, Premera, CareFirst and other industry breaches earlier this year, security experts said they hope the Excellus Blue Cross Blue Shield breach this week helps perk up their ears to the importance of security investments in health care.

On Wednesday, Excellus, a Blue Cross Blue Shield affiliate focused in the upstate New York area, announced that it had been hit by a "very sophisticated cyberattack" that compromised the records of approximately 10.5 million people who are members, those who do business with Excellus and others with Blue Cross Blue Shield insurance plans that got treatment in the region. The attack had been occurring since Dec. 23, 2013, and was discovered on Aug. 5, 2015.

Records potentially exposed include name, date of birth, Social Security number, mailing address, telephone number, member identification number, financial account information and claims information. The company noted that it is not yet sure what information was actually taken from the systems.

[Related: The 10 Biggest Data Breaches Of 2015 (So Far)]

Sponsored post

The Excellus breach is just the latest in an "epidemic" of health-care breaches in recent months, Art Gross, CEO of Morristown, N.J.-based health-care managed service provider Entegration and CEO of HIPAA Secure Now, said. Including Anthem, Premera and CareFirst, there have been 18 reported breaches so far this year in health care and the medical provider industry, according to the Privacy Rights Clearinghouse.

"It's not going to stop anytime soon. You would think that the industry sees all of these data breaches and freaks out and does everything they can to protect themselves, but we're not seeing that at all yet," Gross said. "We need a wake-up in the industry," he added.

The challenge, Gross said, is that many health-care organizations are still taking the "it can't happen to me" attitude toward security. On a smaller scale relative to many of the health-care breaches so far this year, Gross said that he hopes the Excellus incident will alert smaller insurance and medical companies that hackers aren't just targeting the biggest providers anymore.

That level of awareness is definitely on the rise, Ben Johnson, chief security strategist at Bit9 + Carbon Black, said, but health-care companies need to take more action to ensure their data is secure. While many health-care companies said they make security a top priority, Johnson said those he has interacted with fall short of applying a successful layered security approach that could protect them from a major breach.

"We need to change that equation," Johnson said.

Johnson recommended solution providers use the exposure from breaches, such as Excellus, to initiate conversations around ways to improve a company's compliance and security posture without causing interruptions to the critical day-to-day business operations of a health-care practice.

Gross said he expects the government also will need to step up its game when it comes to HIPAA regulation enforcement, comparing it right now to a 35-mile-per-hour speed limit zone where drivers all go 50 miles per hour without enforcement.

Gross said he has seen it with his own clients, who call him in a panic about a HIPAA audit letter, but were hesitant to invest in security prior to that. Gross said it will ultimately come down to a breach that "hits home" close enough for a company to decide it could be next.

"I think what has to happen is organizations [need to] look and say that this could be us ... It has to hit closer to home," Gross said.

Excellus said it will mail letters to notify those compromised and will provide two years of identity-theft protection and credit monitoring. The company also is working with the FBI to investigate the attack, and cybersecurity firm Mandiant to remediate the issues found.