Breach may impact local subscribers

FINGER LAKES--A recent cyberattack has put the personal information of some 10.5 million Excellus customers at risk. The health insurance company sent a notice to its customers Wednesday, Sept. 9, notifying them of the attack they discovered at the beginning of August. Michael King, certified health care reform and Affordable Care Act professional and principal of Century Benefits Group of Rochester, estimated up to half of those insured in Schuyler County could be Excellus customers.
"Excellus subscriptions in Schuyler could be as high as 50 percent, but it is not known how many will be affected by this security breach," King said.
In response, Excellus is providing two years of free credit monitoring and identity theft protection services to its customers through Kroll, a risk mitigation and response company. Excellus encourages those who believe their personal information is being misused to contact the Federal Trade Commission (FTC) at 1-877-438-4338 or by visiting their website at www.ftc.gov/idtheft. Residents can also contact the New York State Attorney General's Office at 1-800-771-7755 or visit www.ag.ny.gov/consumer-frauds-bureau/identity-theft. The FTC'swww.identitytheft.gov also provides the steps a person should take if they learn their identity has been stolen.
Lynette Baker, director of marketing with the Consumer Credit Counseling Service of Rochester, said there are a few things people can do now to monitor if their personal data is being used. She said acting quickly to monitor credit is the best thing to do, recommending people use annualcreditreport.com. She said a person can get one free credit report from Experian, TransUnion and Equifax every 12 months. Baker added a person can get one report now from one company, another in three to four months from a different company and another report from the last company three to four months after that to keep track of their credit.
She noted an identity thief could attempt to use someone's social security number to open new accounts, so monitoring credit reports could bring these new accounts to the victim's attention. Baker said a victim could also talk proactively to their bank in order to change their account numbers if they have been compromised. Baker also recommends filing taxes early next tax season, adding it can cause the victim several problems if the identity thief files a false tax return before the victim.
"If you do all those, you are going to be pretty good," Baker said. "[...] If they haven't used your information within a year, you can probably relax."
A message from Excellus President and CEO Christopher Booth states they first learned of the attack Aug. 5, 2015, adding their investigation revealed the initial attack occurred Dec. 23, 2013. He said the cyberattackers gained unauthorized access to the company's information technology (IT) systems.
"Our investigation determined that the attackers may have gained unauthorized access to individuals' information, which could include name, date of birth, social security number, mailing address, telephone number, member identification number, financial account information and claims information," Booth said. "This incident also affected members of other Blue Cross Blue Shield plans who sought treatment in the 31 county upstate New York service area of Excellus BCBS. Individuals who do business with us and provided us with their financial account information or Social Security number are also affected."
Regional Vice President of Communications Jim Redmond said Excellus discovered the attack when they hired a cybersecurity company to examine their IT systems this summer. He said this inspection was conducted due to other health insurers being the victim of cyberattacks in the past two years. Redmond noted once they discovered the attack, they immediately contacted the Federal Bureau of Investigation (FBI) and continue to coordinate with their investigation.
"The cyberattacks we have seen recently have been sophisticated," Redmond said. "[...] As soon as we learned of the attack, we remediated our IT system and contacted the FBI."
FBI spokesperson Carol Cratty said she is unable to comment on a possible culprit as the investigation is ongoing.
Redmond noted the priority following the discovery of the attack was to find out who was impacted and get services set up to assist them. He said customers were not contacted prior to Sept. 9 because there was no evidence any information was removed from the systems or has been used inappropriately.
"The investigation has not determined that any such data was removed from our systems," Booth added. "We also have no evidence to date that such data has been used inappropriately."
However, the Democrat and Chronicle reported Saturday, Sept. 19 that a class action lawsuit has been filed against Excellus in the wake of the data security breach. The article states the lawsuit claims negligence and breach of contract, seeking awards of unspecified damages and legal fees.