US insurance group Excellus Blue Cross and Blue Shield has warned that up to 10 million customer records may have been compromised during the course of a two-year cyberattack on its computer systems.
The Rochester NY-based firm says that it first became aware of the infiltration in early August, but that the first intrusion had occurred as far back as 23 December 2013.
Initial investigations indicate that the unidentified assailants may have gained unauthorised access to customer names, dates of birth, Social Security numbers, mailing addresses, telephone numbers, member identification numbers, financial account information and claims information.
The attack affected about seven million Excellus members and 3.5 million customers of subsidiary firm, Lifetime Healthcare Cos
The company has appointed cybersecurity outfit Mandiant to investigate the attack and is offering customers two years worth of free identity theft protection services from Kroll.
In a statement, president and CEO Christopher Booth says the forensic examination has yet to determine if any data was removed from the insurer's systems, nor is there evidence to date that the compromised data has been used fraudulently.