OCR released a simple checklist and infographic last week to assist Covered Entities and Business Associates with responding to potential cyber attacks. As cybersecurity remains a pressing concern for health care entities, these guidance documents are a useful reminder of best practices that health care entities should have in place in case of a cybersecurity incident.
Exellus BlueCross BlueShield has announced that the personal information of at least 10 million members has been compromised in a “very sophisticated” cyberattack that occurred on December 23, 2013 and was discovered by the plan on August 5, 2015. According to a notification posted on the company’s website, hackers may have accessed the name, date of birth, social security number, mailing address, telephone number, member identification number, financial account information and claims information of affected members.
Excellus is offering no specifics regarding the nature of the attack but states repeatedly, throughout its website notification and related FAQs, that it has found no evidence of sensitive information being removed from its systems or misused. Excellus began the process of mailing notices to affected individuals on September 9, and is providing two years of credit monitoring.
The Excellus breach follows a string of significant health plan data breaches this year, including the Anthem breach affecting 80 million members, the Premara breach affecting 11 million members, and the comparatively small – although extremely significant CareFirst breach, affecting 1.1 million members.
Stay tuned for the inevitable class action lawsuit. We will have more as this story develops.