October 1, 2015

Frequently Asked Questions from Health Plan Sponsors about the Excellus BlueCross BlueShield (Lifetime Healthcare) Cyber Attack

In September, Excellus BlueCross BlueShield reported discovering in August that its Information Technology systems were breached in a December 2013 cyber attack that may have given the attackers access to individuals’ personal information. To assist those who may have been affected by this data breach, Segal Select Insurance Services has created thus webpage to provide answers to some frequently asked questions.

Where can I learn more about the breach?

Excellus has created a website, http://excellusfacts.com/, that includes a message from its president about the breach and answers 15 questions.

Lifetime Healthcare Companies, the parent of Excellus, has created a similar website, http://lifethcfacts.com, that also includes a message from president about the breach and answers 15 questions. In addition, the website of Lifetime Healthcare Companies features a notice about the attack.

How were individuals notified about the breach?

Lifetime Healthcare used at least seven different notification letters to reach participants, guardians and estates.

Which states and federal departments were notified?

At least 40 different “entities” were notified, including 18 states, Puerto Rico, three credit bureaus, the Department of Health and Human Services, the Centers for Medicare and Medicaid Services and the National Association of Insurance Commissioners. Many states required two different notices; one required three, including one to the state police.

Share this page

Contact an Expert