PEMBROKE PARK, Fla. – The sophisticated cyberattack on Excellus BlueCross BlueShield may have exposed the personal information of 10.5 million people.
That includes patients and individuals who do business with the company and its affiliates.
In a statement posted online, CEO Christopher C. Booth explained that while they were made aware of the attack to the company's IT systems on Aug. 5. the "initial attack" happened nearly two years ago on Dec. 23, 2013.
"As part of our own investigation, we notified the FBI and are coordinating with the Bureau's investigation into this attack," Booth said. "Our investigation determined that the attackers may have gained unauthorized access to individuals' information, which could include name, date of birth, Social Security number, mailing address, telephone number, member identification number, financial account information and claims information. This incident also affected members of other Blue Cross Blue Shield plans who sought treatment in the 31 county upstate New York service area of Excellus BCBS. Individuals who do business with us and provided us with their financial account information or Social Security number are also affected."
READ: Booth's full statement
The company is providing two years of free credit monitoring and identity theft protection services.
Call Christina Resources:
Preventing identity theft, what to do if you've been victimized
How to challenge your credit report, improve your score
The Better Business Bureau advises people who think they could be impacted to take advantage of those services and to place a fraud alert on their credit reports.
The company is beginning to mail letters to those impacted. Most of the patients are believed to live in upstate New York.
Excellus has also established a toll-free number for customers to call with questions about the incident: 1-877-589-3331. The company said to call the number if you believe you are affected, but do not receive a letter by Nov. 9.
At this point, it is not known if this attack is connected to three other recent large data breaches involving BlueCross BlueShield health insurers Anthem, Premera, and CareFirst.
Excellus affiliate Lifetime Healthcare Companies was also impacted by the attack.
Those impacted include individuals who do business with any of the following affiliated entities:
· Lifetime Benefit Solutions
· Lifetime Care
· Lifetime Health Medical Group
· The MedAmerica Companies
· Univera Healthcare
In a statement LTHC said, "As a result of cyber attacks on other insurance companies, LTHC engaged FireEye's Mandiant incident response division, one of the world's leading cybersecurity firms, to conduct a forensic assessment of its Information Technology (IT) systems. LTHC notified the FBI and is cooperating with the bureau's investigation."
A recent KPMG study found 81 percent of major healthcare or health insurance companies had a data breach in the past two years.
Follow Christina Vazquez on Twitter @CallChristinaTV
Follow Local 10 News on Twitter @WPLGLocal10