A health insurer in upstate New York was hacked, and more than 10 million of its members might have had their data stolen, Reuters reported on Thursday.
The Rochester-based insurer Excellus BlueCross BlueShield said it and its affiliates had been the target of a sophisticated cyberattack.
It is offering free identity theft protection services to the affected.
According to a Reuters report, Excellus said it learned of the cyberattack on August 5 from experts it had hired to perform a forensic assessment of its computer systems.
The assessment was done after other health insurers were attacked. A subsequent investigation found that the initial hack occurred in December of 2013.
Attackers may have gained access to members' information, including names, date of birth, Social Security number, mailing address, telephone number, member identification number, financial account information and claims information, the company said.
“We are taking additional actions to strengthen and enhance the security of our IT systems moving forward," the company said in a notice posted on its website.
"The investigation has not determined that any such data was removed from our systems and there is no evidence to date that any data has been used inappropriately," Excellus spokesman Jim Redmond said.
"The FBI is investigating a cyber intrusion involving Lifetime Healthcare Companies, which include Excellus BlueCross BlueShield, and will work with the firms to determine the nature and scope of the matter," the FBI confirmed in an emailed statement.
"Individuals contacted by the companies should take steps to monitor and safeguard their personally identifiable information and report any suspected instances of identity theft to the FBI’s Internet Crime Complaint Center," it added.
UPDATE: Bryan Lillie, Chief Technology Officer, Cyber Security at QinetiQ has commented: "This hack identifies the importance of regular monitoring for intrusions. . This hack was going on for over a year and half before it was found which is a long time.
"While current reports haven't found evidence of data theft or misuse, a year and a half gives a party with an ulterior motive a huge amount of time with which to adversely impact a company's IT systems. To prevent this kind of intrusion, protective monitoring is a must; this will spot unusual activity and move security from a background function to a proactive, key part of the business.
"Often people deploy security in wrong way. They install a software package or appliance but don’t think about how it works. Few people change their password regularly let alone modify their firewall or check logs to see if there is anything odd going across boundary, or something has been trying to get in. If you’re not looking, you’re not going to find it."