10.5 Million Person Healthcare Hack Revealed 19 Months Later

Posted on September 21, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

As we (and pretty much everyone) predicted, the number of healthcare breaches continues to grow. In the latest case, Rochester New York based Excellus BlueCross BlueShield and related companies were hacked. As per usual, the hackers mounted a “sophisticated cyberattack” which compromised data including names, addresses, telephone number, social security numbers, financial account information, and some medical information from “shadowy groups in China.”

Here’s a description of the 10.5 million records that were affected:

Affected parties include about 7 million people who are insured by Excellus, patients covered by those policies and Blue Cross Blue Shield members from other parts of the country who received medical care that was billed through Excellus, Redmond said. Excellus is the largest health insurer in the Rochester area.

The records of an additional 3.5 million people who receive services through five Lifetime units — Lifetime Health, Lifetime Care, Univera Healthcare, MedAmerica and Lifetime Benefits Solutions — also were breached by the hackers.

Although, the irony of this story is that the initial hack seemed to have occurred on Dec 23, 2013, but wasn’t discovered by the staff until much later. The report suggests that the hack wasn’t discovered until they did an investigation into their own systems after the 78.8 million person Anthem breach. What’s not clear to me is why it took them so long after that breach which occurred in February 2015 to finally announce their own breach.

The company is offering the standard 2 year’s of identity and credit card protection to affected individuals. Does this all feel somewhat routine now? I’m sorry to say that it’s become so common that it almost feels like a non-event. It probably doesn’t feel that way to the millions of patients who got a notice in the mail. Although, with breaches of Google, Amazon, Target, etc, I think we’re all becoming somewhat numb to breaches of our personal data.