Skip to main content

Excellus Data Breach: What to Do Now

Rochester, New York-based Excellus Blue Cross/Blue Shield and its parent company, Lifetime Healthcare, appear to be the most recent victims of a rash of data breaches plaguing large health insurers across the United States. If you're covered by either company, read on for what to do to protect yourself from identity theft.

The affected personal information may include the "name, date of birth, Social Security number, mailing address, telephone number, member identification number, financial account information and claims information" of about 10 million Excellus and Lifetime customers, according to information websites posted by both companies.

MORE: Best Identity-Protection Services

The Excellus breach appears to be nearly identical to data thefts disclosed earlier this year at Anthem Blue Cross/Blue Shield, which affected about 79 million customers, and Premera Blue Cross/Blue Shield, which impacted 11 million. Chinese state-sponsored hackers are suspected in both the earlier attacks. However, the Excellus attackers appear to have been at work since December 2013, a year earlier than the Anthem attack began.

Excellus and Lifetime will be mailing letter to affected customers, who will receive two free years of identity-theft protection from risk-mitigation and investigation firm Kroll Inc. Concerned customers can call 1-877-589-3331, or visit or (the two sites are nearly identical).

Whatever you do, DON'T pay attention to emails or other messages purporting to come from Excellus or Lifetime "notifying" you of the breach and inviting you to sign up online for data protection. The messages and links may be scams trying to steal your personal information. Instead, wait for the letter to arrive.

What to do if you're an Excellus or Lifetime customer

Until then, here's what you can do to protect yourself if you think you might be affected.

Contact one of the three major credit-reporting agencies — Equifax, Experian and TransUnion — and ask it to place a free credit alert on your file. (The agency you contact will notify the other two). You'll be notified if anyone tries to run a credit check on you or open an account in your name. The alert lasts for 90 days, but can be renewed indefinitely, for free.

If you discover a fraudulent account in your name, file a police report — it's a crucial legal step. Then contact the credit-reporting agencies, tell them what happened and ask for a credit freeze, which will stop any activity on your accounts without your explicit consent. A credit freeze can complicate your financial life, but you've already got bigger problems if your identity's been stolen.

If nothing bad happens to your credit or your identity after 6 or 8 months, you're probably in the clear. But there's still something you, and in fact everyone, ought to do: Request a free credit report every year from each of the three credit-reporting agencies, which will help you keep an eye on your records. If you space out the requests over the course of a calendar year, you can get a new report every four months.