Excellus BlueCross BlueShield Cyber Attack: Frequently Asked Questions

We recently learned that Excellus BlueCross BlueShield (Excellus BCBS) was the target of a sophisticated cyber attack. Blue Cross & Blue Shield of Rhode Island (BCBSRI) members who were affected by the cyber attack will receive a letter from Excellus BCBS by November 9, 2015. The letter will explain the free credit monitoring and identity protection services available to members.

BCBSRI and Excellus BCBS are both part of the Blue Cross and Blue Shield network but are separate and distinct companies. Through various collaborative agreements, some information on members is shared. Please see the FAQs below for information on the Excellus BCBS attack as well as our commitment to safeguarding your information. You can also find more information on Excellus BCBS’s website at www.excellusfacts.com.

Why would Excellus BCBS have access to my data?
The Blue Cross and Blue Shield network includes 37 independent companies operating in various locations across the United States and Puerto Rico. This network enables you to receive the same health insurance benefits for any medical care you may need while living or traveling within the coverage areas of any other Blues plan.

In those cases, your medical claim is sent from the Blues plan that received it to BCBSRI. This ensures that your claim is processed based on your personal benefit plan and that you receive the discounted rate from the out-of-area Blues plan.

Which BCBSRI members may have been impacted by the Excellus BCBS cyber attack?
If you have received medical services in upstate New York, your data may be affected. You may have received services in upstate New York because you live there, your provider is based there, or you received medical care while traveling.

How will I know if I've been affected?
Excellus BCBS has started mailing letters to the approximately seven million affected individuals. If your information has been affected, you will receive a letter from Excellus BCBS by November 9, 2015. If you believe your information may have been affected but have not received a letter by that time, please visit www.excellusfacts.com or call 1-877-589-3331.

If my data was compromised, what was included?
Excellus BCBS’s investigation determined that the attackers may have gained unauthorized access to information that could include name, date of birth, Social Security number, mailing address, telephone number, member identification number, financial account information and claims information. At this time, there is no indication that data was removed from the system or used inappropriately.

If my information was affected by the Excellus BCBS attack, will credit or ID theft monitoring be available to me?
Yes. Excellus BCBS will send you a letter explaining how to access free credit monitoring and identity theft protection services. You’ll receive two years of free identity theft protection services through Kroll, a global leader in risk mitigation and response solutions, including credit monitoring powered by TransUnion. You can also sign up at www.excellusfacts.com.

When did the cyber attack occur?
As a result of cyber attacks on other insurance companies, Excellus BCBS had engaged FireEye’s Mandiant incident response division, one of the world’s leading cybersecurity firms, to conduct a forensic assessment of its IT systems. On August 5, 2015, Excellus BCBS learned that cyber attackers had gained unauthorized access to its IT systems. Excellus BCBS notified the FBI and is cooperating with the bureau’s investigation.

Were providers impacted by the Excellus BCBS attack?
Yes, providers that contract directly with Excellus BCBS may be affected by the cyber attack. If you are a BCBSRI provider and have not contracted with Excellus BCBS directly, your information was not involved in this incident.

Where can I get more information about the Excellus BCBS cyber attack?
Please visit www.excellusfacts.com for additional information and resources, including assistance that Excellus BCBS is providing to consumers.