Excellus, an upstate New York health care company, says information for as many as 10 million of its clients nationwide may have been exposed in an attack dating back to 2013.
The cyber breach was first discovered on August 5, Excellus spokesman Kevin Kane said.
Criminal attacks on healthcare computer systems are up 125% since 2010 and are now the leading cause of data breaches, a study by the
Ponemon Institute found in March.
Health care companies are especially tempting targets for cyber attackers, as their files contain large amounts of personal information on users.
Because of the rise in attacks in the sector, earlier this year Excellus hired cyber security firm
Mandiant to conduct a forensic review of its computer system, Kane said.
Mandiant found evidence of cyber break-ins dating back to Dec. 23, 2013. The FBI was called in and the company began working to notify customers.
Excellus Blue Cross Blue Shield is part of a larger parent company called Lifetime Healthcare, based in
Rochester, NY. It serves about 10 million clients, primarily in upstate New York but with clients across the United States, Kane said.
Members of other Blue Cross Blue Shield plans who sought treatment at one of Excellus' service area may also have been hit, he said.
The attackers may have gained access to Excellus clients' names, dates of birth,
Social Security numbers, mailing addresses, telephone numbers, member identification numbers, financial account information and claim information, the company said.
The company so far has found no evidence of data leaving its computers or being used inappropriately, Kane said. However it is offering two years of free identity theft protection services to affected individuals.
Premera, an Alaskan Blue Cross Blue Shield insurance company, had information about as many as 11 million of its clients breached in March.
"It is becoming clear that 2015 is the year of the Health Care Hack," said Nikki Parker, with Covata, a security firm based in Australia.
Healthcare breaches especially are often worse than they initially appear, said Arun Vishwanath, a professor at the
University at Buffalo and an expert on cyber deception and information technology.
"In these kinds of cases, if you have access to the network, you won't stop, you will hit as much as you can. That means it won't just be BlueCross that is impacted, it will be their vendors, physician offices connecting to them, and accessible affiliates all over the country," he said.