Hackers gain entry to 10 million Excellus insurance records

Insurance provider says attack began nearly two years ago before being discovered last week

Hackers infiltrated the systems of Excellus BlueCross Blue Shield gaining access to some 10 million healthcare records some of which included medical history, the company announced Wednesday.

The Rochester, N.Y.-based insurer said the breach began nearly two years ago and was first discovered last month. The company said it has not determined if data was actually taken off its servers, but the hackers did have access to records that included personal information such as birth dates, Social Security numbers and addresses along with claims and payment information.

"The investigation has not determined that any such data was removed from our systems," Excellus CEO Christopher Booth said in a memo on the company's website. "We also have no evidence to date that such data has been used inappropriately."

As in many recent breaches across vertical industry, the company issued a statement classifying the breach as "a very sophisticated cyberattack." In addition, the breach fits recent profiles that show hackers are spending multiple years weaving their way through computer systems.

The hack is the latest in a series of incidents involving health care companies, including the hack in February on Anthem that affected up to 80 million people.

In July, medical data on 4.5 million people was exposed in a hack of University of California (UCLA) Health.

Excellus did not say who might have been behind the attack on their systems. The company is providing victims two years of free credit monitoring and identity theft protection services.

The hack comes at a time when federal courts are beginning to examine class-action lawsuits and gauge the on-going affects these data thefts have on victims. Courts are considering liability issues and how much real, as well as, continuing harm exists for the victims of data breaches who contend that companies were negligent in protecting their personal data. Traditionally, courts have ruled that victims don't have the right to file lawsuits over the threat of on-going problems.