10.5 Million Person Healthcare Hack Revealed 19 Months Later

As we (and pretty much everyone) predicted, the number of healthcare breaches continues to grow. In the latest case, Rochester New York based Excellus BlueCross BlueShield and related companies were hacked. As per usual, the hackers mounted a “sophisticated cyberattack” which compromised data including names, addresses, telephone number, social security numbers, financial account information, and some medical information from “shadowy groups in China.”

Here’s a description of the 10.5 million records that were affected:

Affected parties include about 7 million people who are insured by Excellus, patients covered by those policies and Blue Cross Blue Shield members from other parts of the country who received medical care that was billed through Excellus, Redmond said. Excellus is the largest health insurer in the Rochester area.

The records of an additional 3.5 million people who receive services through five Lifetime units — Lifetime Health, Lifetime Care, Univera Healthcare, MedAmerica and Lifetime Benefits Solutions — also were breached by the hackers.

Although, the irony of this story is that the initial hack seemed to have occurred on Dec 23, 2013, but wasn’t discovered by the staff until much later. The report suggests that the hack wasn’t discovered until they did an investigation into their own systems after the 78.8 million person Anthem breach. What’s not clear to me is why it took them so long after that breach which occurred in February 2015 to finally announce their own breach.

The company is offering the standard 2 year’s of identity and credit card protection to affected individuals. Does this all feel somewhat routine now? I’m sorry to say that it’s become so common that it almost feels like a non-event. It probably doesn’t feel that way to the millions of patients who got a notice in the mail. Although, with breaches of Google, Amazon, Target, etc, I think we’re all becoming somewhat numb to breaches of our personal data.

About the author

John Lynn

John Lynn

John Lynn is the Founder of the HealthcareScene.com, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference, EXPO.health, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.


  • Like I have said all along, there should be no penalties for Data Breach. We should all just agree that no matter what we do, in the end all Patient Data is now Public Domain. We simply need to remove any truly revealing information in the Data, or we have to just give in to the fact that we as a society don’t have personnel data once it is on a wire.

  • I have to agree about getting numb to this. Frankly we are not going to ever be able to stay ahead of the hackers. The healthcare industry focus is not on security it’s on profits and there will never be enough money spent on this. I’m, frankly, not sure there *IS* enough money to plug the holes and keep up with the hackers.

    I’m afraid that we are going to have to give up on data privacy and focus on getting real, valid healthcare outcomes that improve our biological existence.

    PS: don’t give your social security number to your providers, insurance or otherwise. That field should be removed from all EHRs.

  • Tony,
    I think you’re right about it being impossible to prevent all hackers. See the government and what they’ve spent trying. I think we can do better than we’re doing today and we should, but we have to expect this to happen more.

    I’m still surprised about SSN still getting tracked as well. Although this was an insurance company and I think they might have a need for that info. Not sure, but I could see why they might need it to check your history.

Click here to post a comment