In a statement, Excellus President and CEO Christopher C. Booth called the breach of the company’s systems a “very sophisticated cyber-attack.” It happened just before Christmas 2013 and was discovered only because Excellus brought in cybersecurity firm Mandiant to scan its IT systems forensically as a precaution following the discovery of attacks on other medical insurers. The extent of the damage done by the breach Mandiant found may never be known.
What is known is that data the hackers accessed included names, dates of birth, Social Security numbers, addresses, telephone numbers, member identification numbers, financial account information and claims data. The records were encrypted, but the hackers had access at the administrator level, so they could simply have copied and pasted the unencrypted records into their own systems.
Lessons from the hack on Excellus and other medical insurers
1. Health information is under sustained attack
So far in 2015 the medical/healthcare sector has the second highest number of confirmed breaches, according to the Identity Theft Resource Center. It was well ahead of banking and financial services, which took third place. Experts have speculated that foreign governments are looking for information on prominent patients. A less colorful explanation is that medical databases contain a trove of information to facilitate identity theft. Either way, the danger is real and present.
2. Human factors should be tackled first
The first line of defense is employee training on proper security and privacy protocols. Many breaches come through username and password theft, often through employees clicking on an infected email attachment. This is one reason hacks go undetected for so long: because the requests for files appear to be coming from authorized users. Also, no one should have more access to systems than they need to have.
3. Systems should be reviewed on an ongoing basis
Breaches are done by stealth, so it is seldom obvious they have happened. The Excellus breach was discovered only because the company brought in a third party to audit its systems just in case. Systems and the way they are configured should be constantly monitored.
4. Protection needs to be appropriate to the data in question
Insurers should put a value on each type of information stored and focus the greatest amount of security on the most valuable data, which will be the personal information of clients.