The unenviable task of mailing out 10.5 million letters warning people that their identities might be stolen is nearing completion.
Next up for Excellus BlueCross BlueShield? Dealing with worried customers' fears that they've already been defrauded and defending itself against lawsuits. At least 12 suits have been filed so far.
The Rochester-based health insurer, the largest in this part of the state, announced on September 9th that computer hackers had gotten access to personal information of 10.5 million current and former customers and vendors of Excellus, parent company Lifetime HealthCare and other Lifetime subsidiaries.
The exposed data included customer names and addresses, Social Security numbers, insurance identification numbers, financial information, and medical claims records.
Excellus and the FBI, which is investigating, have made no public statements about who might have broken into Excellus' systems, why they might have done or exactly how the intrusion went undetected for nearly 20 months.
The two-page Excellus letter asserts the hackers "may have gained unauthorized access" to sensitive personal data, but stops short of saying they actually stole copies of the data or are making use of it today.
Company spokesman Jim Redmond reiterated last week that "we did not find any evidence of the collection or exfiltration of sensitive data and, to date, there is no evidence that any data has been used inappropriately."
But because the company cannot say for certain that that hasn't happened, it has offered two years of free credit monitoring and other identity-theft protection to the 10.5 million affected parties. About 8.6 million of those people had received notification letters as of Thursday, with the balance due to get them by Nov. 9, Redmond said.
He said that "hundreds of thousands" of people had signed up for some portion of the protection.
At least some affected customers believe they've already been victimized. Three of the 12 lawsuits assert that Excellus subscribers have suffered identity theft or credit-card fraud as a result of the digital break-in, in which millions of customer records were left open to hackers and possibly copied.
"We have reason to believe that their information's out there as a result of the Excellus breach," said Hadley Matarazzo, one of the lawyers who brought suit on behalf of the Fairport family and other plaintiffs.
Matarazzo's lawsuit also cited the case of a husband and wife in Hilton who claim the Excellus hack allowed unknown criminals to appropriate their names and Social Security numbers in September to try to con their way into the IRS's data banks.
Read the full article here.