Medical healthcare hack
A research report indicates medical devices may be the next target of ransomware hackers. Healthcare companies and medical insurers have provided hackers with a clear window into Americans' personal information. David McNew/Stringer

Sensitive personal information belonging to more than 10 million people has been exposed to computer hackers who infiltrated BlueCross BlueShield, the health insurance company said. If it’s anything like the recent breaches throughout the healthcare industry, though, the number of people affected could be much higher.

Excellus BlueCross BlueShield announced on its website late Wednesday evening that hackers first infiltrated its networks in December 2013, though the breach wasn’t discovered until last month. Customer names, birthdates, Social Security numbers, mailing addresses, financial information and insurance claims information were compromised. The hack immediately ranks among the 20 most severe healthcare breaches ever reported, according to the U.S. Department of Health and Human Services’ data breach "Wall of Shame."

“We are providing two years of free credit monitoring and identity theft protection services,” Christopher Booth, president and CEO of the Rochester, New York-based company, said in a statement announcing the breach. “The investigation has not determined that any such data was removed from our systems. We also have no evidence to date that such data has been used inappropriately.”

Anthem health insurance and the U.S. Office of Personnel Management announced earlier this year they had been breached. Anthem initially said hackers stole 37.5 million records, only to admit three weeks later that the true total was somewhere closer to 80 million. The OPM breach, which contained Social Security numbers and highly personal security clearance forms, was first pegged at 4 million, though the total has since been revised to more than 21.5 million.

“In nearly every breach, the first headline is just the tip of the iceberg and we learn of more compromised records after the investigation has moved forward,” Tim Erlin, director of IT security and risk strategy at the cybersecurity company Tripwire, said in an email. “I would expect no less in this case. Healthcare seems to have run into a breach nexus. It’s clear that this industry has been targeted successfully.”