FireEye is heading the investigation, incident started in 2013.

Excellus BlueCross BlueShield, a health insurer in upstate New York, said on Wednesday that its systems and those located at affiliates had been compromised, potentially exposing the personal information of nearly ten million members.

The breach was discovered on August 5, and additional investigation revealed that the incident started around Christmas in 2013. Excellus discovered the breach after hiring FireEye to assess their network.

The company had been following the security problems at other BlueCross BlueShield providers, as well as the issues at Anthem, and felt an assessment was in order. It wasn’t long before teams from FireEye had detected problems.

In a statement, Excellus said that the person(s) responsible for the attach might have gained access to personal information, including “name, date of birth, Social Security number, mailing address, telephone number, member identification number, financial account information and claims information.”

“The most compelling element of this episode is the 20 months it took Excellus to discover the breach and put a stop to it,” said Jeff Hill, Channel Marketing Manager for STEALTHbits, in a statement.

“Twenty months exceeds the average breach discovery time – about 200 days – but in Excellus’ defense, it beats the over 5 years hackers ran wild on the newswire services’ networks before being discovered by the SEC, not internal IT systems.

“Gone are the days of smash-and-grab operations executed by impetuous, immature hackers. Of the newest weapons and tactics being deployed by today’s attackers, patience may be the most dangerous development.”

Those who have had their information exposed will be contacted by postal letter. However, Excellus stressed that while the network was breached, and there is evidence of such, there is no evidence that any personal information was exported from the network.

Still, out of caution, the company (through their corporate parent Lifetime Healthcare) is offering two years of credit monitoring and identity theft protection to those affected.

Via: csoonline