As frustrations simmer and lawsuits mount over the massive hack of Excellus BlueCross BlueShield, the company has yet to publicly explain in full how the hackers slipped into its computer network — and avoided detection for 20 long months.
The digital break-in, the worst-ever in the Rochester region and one of the worst in the history of American health care, gave criminal hackers unfettered access to highly sensitive records of 10.5 million customers and vendors of Rochester-based Excellus and related companies.
The fallout of the hack, which was made public Sept. 9, continues:
- Claims are already flying that people have been victimized by fraud or identity theft as a result of the digital break-in. Lawyers say they’re sure the incidents stem from the Excellus intrusion. Others say they’re not sure.
- At least 12 lawsuits have been filed against Excellus and its corporate parent, Lifetime HealthCare, all of them alleging utter failure by the health insurer to protect customers’ sensitive data. A major legal fight over those claims likely will be played out in a local courtroom.
- As social media posts and legal papers make clear, the Excellus hack has left many Rochester-area residents fearful of identity theft and fraud on a scale not seen before.
- Children whose data was warehoused by Excellus are a particular concern. Experts say identity theft of minors is hard to detect and very difficult to deal with.
- Legislation that would set stringent digital security standards for companies with sensitive data, inspired by the Excellus case, is in the works, an influential state senator said.
The Excellus hack was part of a wave of cyberattacks against the health-care industry over the last two years.
Eight large-scale hacking incidents alone exposed a total of 115 million personal records to prying eyes. Excellus was among the largest.
But Excellus was exceptional in another way: It needed far more time than any of the other providers to discover it had been broken into.
None of the other seven breach victims needed a year to find out they’d been targeted. One uncovered its hackers in just 19 days.
Excellus needed almost 20 months.
The Rochester health insurer has offered no detailed explanation for the slowness of its response to what it termed a “highly sophisticated” hacker assault.
“We are not in a position to speak to other companies’ cyberattack experiences,” Excellus spokesman Jim Redmond said. “However, the attackers used techniques to actively hide their presence in our environment during the compromise, which included using legitimate credentials to blend in with ‘normal’ traffic.”
Today, almost two years from the assault’s opening salvo, Excellus’ top-rung security consultant cannot produce any evidence to explain how the hackers got into the company’s computer systems in the first place, Redmond told the Democrat and Chronicle.
Computer security experts say health-care establishments are the latest target for opportunity for hackers who use digital legerdemain to remotely access sensitive data. A third of the 147 such hacking incidents reported to federal health authorities since 2010 have taken place this year.
The scope has changed as well. All eight of the truly big hacks, in which more than 1 million records were exposed, have taken place in the last two years. The victims were four Blue Cross affiliates, two hospital groups, a Montana state agency and an electronic medical records company.
Who is behind the intrusions, and whether any of them were perpetrated by the same hackers who broke into Excellus, remains the subject of speculation.
The intrusion at Excellus began when the hackers first gained access to the company’s computers on Dec. 23, 2013.
The company told state Sen. Michael Nozzolio, who has conducted his own inquiry into the breach, that it had robust security in place, assessed its vulnerabilities regularly and had vendors conduct annual “penetration testing.”
The company bristled at the suggestion it had failed. “A ‘security lapse’ did not occur,” the company told the Seneca County Republican in a letter. “This was a sophisticated cyberattack.”
But how the hackers broached Excellus’ security measures remains unclear.
Security analysts and journalists have posted evidence that hackers used a technique known as spear phishing to gain initial entry to two other BlueCross Blue Shield insurers, Anthem and Premera. Spear phishing is the term for sending fraudulent emails to targeted employees in hopes of inducing them to go to phony websites or download malicious software.
Asked if phishing was used by Excellus’ hackers to obtain employee passwords, Redmond said no.
However they first gained entry, the Excellus hackers were able to plant hidden software applications known as “malware” in Excellus’ computer systems. This malware was used “to obtain credentials for some legitimate Excellus employees from internal Excellus systems,” according to Redmond.
Malware can aid hackers in many ways; one tried-and-true application logs and transmits users’ keystrokes, making theft of user names and passwords easy.
The user accounts that were compromised at Excellus were of employees with high-level administrative access, which allowed them to roam freely through company data. The company told Nozzolio that the hackers could have unlocked any encrypted data they found “because of the type of access the attacker possibly had.”
Forensic evidence developed by Excellus’ security consultant, Mandiant, showed the intruders were active inside the company’s computer systems — poking around and possibly copying data — from Dec. 23, 2013, to Aug. 18, 2014, Redmond said. That’s eight months.
Though they apparently left no traces of their presence beyond that date, the hackers’ means of access remained in place another nine months, until May 11, 2015. Something changed on that date that made it impossible for the intruders to lurk any longer.
Through these 17 months of vulnerability, and beyond, however, Excellus remained oblivious to the intrusion.
The seven other health-care establishments that exposed 1 million or more records to hackers during this same period of time needed an average of about seven months to discover they’d been had. The interval between reported onset and discovery ranged from 19 days to 11 months, according to publicly available information.
That dovetails with a February report by Mandiant, the computer-security company that Excellus hired, that in 2014, its corporate clients needed an average of about seven months to detect computer intruders.
Anthem made public its enormous hack in February 2015, and four more health-care companies had revealed large-volume intrusions by July. At some point during this time period, Excellus officials grew alarmed by the string of attacks.
“As a result of cyberattacks on other insurance companies across the country, Excellus proactively engaged Mandiant, one of the world’s leading cybersecurity firms, to conduct a forensic assessment of its IT (information technology) systems,” Redmond said. “During that assessment, Mandiant used its proprietary indicators of compromise to scan Excellus’ servers and workstations, and based on that scanning, Mandiant discovered indications that a cyberattack occurred.”
This discovery was made Aug. 5, the company has said — 590 days, or nearly 20 months, after the intrusion began.
The company announced the hack Sept. 9.
SORR@DemocratandChronicle.com
Lookalike sites
Hackers who gained entry to Anthem and Premera BlueCross BlueShield computer systems last year reportedly directed phishing emails at company employees. The emails directed the employees to visit webpages that appeared to be legitimate Anthem or Premera sites.
But they were lookalike sites, according to articles posted by consulting firm ThreatConnect and cybersecurity writer Brian Krebs. One was prennera.com (instead of the legitimate premera.com) and the other we11point.com (instead of wellpoint.com, reflecting the corporate name that Anthem then used).
Employees who visited the illegitimate sites without realizing they’d been duped then likely aided the hackers by typing in passwords or downloading malicious software.
The use of lookalike sites to swipe passwords and otherwise violate people’s privacy is certainly not uncommon.
The Democrat and Chronicle identified a similar lookalike website for Excellus, but the company said it had nothing to do with its woes.
The site in question, Excellusbsbc.com (the “bs” and “bc” are transposed from the real web address), was registered anonymously about six weeks before the company was first hacked, online records show. The site apparently was hosted on a server in Germany.
The website is still active but now houses a collection of advertising links. Asked about the Excellus domain name, Krebs told the Democrat and Chronicle that, “While on the surface, this looks like some aspects of it may fit the M.O. of previous attacks, it’s really inconclusive and there are quite a few loose ends here that I can’t reconcile.”
Excellus spokesman Jim Redmond was more emphatic, saying, “No, it was not used as part of a scheme to gain entry to Excellus’ IT systems.”
Key findings
- At least 12 lawsuits have been filed accusing Excellus and Lifetime HealthCare of negligently allowing hackers to access sensitive data on the company’s computer servers.
- Some people claim they already have been victims of credit-card fraud or identity theft as a result of criminal misuse of data taken from Excellus. The company said it has no evidence this has occurred.
- Excellus has provided relatively few details about the break-in of its computer system, which allowed hackers access to customers’ and vendors’ sensitive personal data for as long as 17 months.
- It remains to be determined which of the 10.5 million parties whose data was compromised can be included in the class-action legal action now taking shape in federal court.
Note
Reporters Steve Orr and Patti Singer are among the millions of people who have been notified that their personal data were exposed to hackers at ExcellusBCBS. They are prospective plaintiffs in the expected class-action lawsuit against Excellus and Lifetime HealthCare. While we do not believe that prospect affected their ability to produce this report in a fair and impartial manner, we are sharing the information for the sake of transparency.
Date: November 8, 2015