Excellus Blue Cross Blue Shield’s big data breach and the security lessons we all need to learn

Guest Post by Debbie Fletcher

There are two possible conversations that could be kicked off by the news of the major data breach at Excellus Blue Cross Blue Shield in which more than 10 million customer accounts were exposed. The first possible conversation is about internet security and what businesses and organizations of all sizes need to be doing in order to better protect the customers that have entrusted them with personal and financial information. The second possible conversation is about whether or not it is technically ironic that Blue Shield failed to prevent an attack.

People, please. Both conversations are interesting, but one is significantly more important than the other. Read on for the facts of the attack on the US-based health insurance provider, what it means for internet security, and what you can do for your own website and business.

Health insurance companies are hit hard

It certainly seems like life is a breach if you’ve been paying attention to the troubles of healthcare companies. The attack on Excellus Blue Cross Blue Shield is just the latest in a string of health-related data breaches, with four other major data breaches occurring earlier this year.

Health insurance provider Anthem experienced a data breach that exposed the records of 80 million customers and employees, health insurance provider Premera experienced one that exposed the records of 11 million users, health insurance provider Care First had a breach that exposed the records of 1.1 million users, and healthcare provider Community Health Systems had one that exposed the records of 4.5 million patients.

While Anthem, Premera and Care First all use Blue Cross Blue Shield Association health insurance plans, as does Excellus Blue Cross Blue Shield, it has not been definitively found that the attacks are either related or unrelated.

Attackers potentially gained access to customers' personal information (shutterstock)

Attackers potentially gained access to customers’ personal information (shutterstock)

Excellus security apparently not so excellent

If the news that Excellus Blue Cross Blue Shield experienced a data breach that exposed the records of 11 million people wasn’t bad enough, buckle in: there was more than one intrusion, and the first intrusion occurred in December of 2013. Yes, these intrusions went undetected for 21 months. Security experts are of the opinion that the Excellus breach was a result of the failure of the company’s legacy security technologies, which rely on detection technology in order to stop these types of attacks.

According to Excellus, attackers potentially gained access to customers’ personal information, possibly including names, dates of birth, addresses, telephone numbers, Social Security numbers, financial account information and claims information. Naturally, the biggest risks for affected customers are fraud and identity theft.

In the wake of the data breach, Excellus is working with the FBI to investigate the intrusion and working to strengthen and enhance their IT security. Excellus has notified customers by mail and is offering two years of credit monitoring and identity theft protection services free of charge.

Complex security solutions

Health insurance providers and other healthcare companies rank alongside retail companies and financial institutions as the biggest targets of hackers thanks to the high value assets as well as the sheer volume of information they have stored in their IT systems. Unfortunately, health insurance and healthcare organizations are lagging behind when it comes to security.

“Much was already done to uphold these industries to a higher security standard but, evidently, there is much still left to do, starting with a throughout review of the existing IT systems,” says Igal Zeifman, Senior Digital Strategist at Incapsula. “Organizations should act based on the assumption that hackers are already inside their network and invest in threat detection alongside pre-emptive protection.”

Not only do organizations need to be concerned with detecting and blocking sophisticated intrusions, they also have to be cognizant of the risk that DDoS attacks pose. While DDoS attacks – which have been steadily growing in size, frequency and potency over the last few years – are generally thought of as nuisance attacks that render a website or other service unavailable to users, they are also commonly used as smokescreens to distract IT security while an intrusion is made and data is stolen.

A lesson for us all

You may not run a health insurance company, but you don’t have to in order to be left fairly shaken by this story. Every website and business runs the risk of a hacking, data breach or DDoS attack. Even small websites or businesses that wouldn’t consider themselves hacking or intrusion targets could very well be hit with a DDoS attack, especially with the recent rise of DDoS ransom notes.

When it comes to IT security, absolutely nothing can be taken for granted. Whether you invest in professional DDoS protection or need a more comprehensive solution, such as best of breed website security services, you need to be proactive. Stop attacks before they start, and before you’re asking forgiveness from the people who trusted your business or website.

In a way, you can thank Excellus Blue Cross Blue Shield for starting this important conversation about IT security. Unless you’re a customer of theirs in which case you will not be expected to thank them for anything.

This site uses Akismet to reduce spam. Learn how your comment data is processed.