Hackers had unfettered access to Excellus BlueCross BlueShield's information systems for more than a year and a half before the health plan even noticed the cyberattack had occurred.

The health plan, which covers members living across 31 counties in New York State, only first discovered the cyberattack in the beginning of August, despite the hack initially taking place December 2013.

According to a company Sept. 9 notice, hackers swiped Social Security numbers and personal data of 10.5 million individuals, making it the third largest HIPAA breach ever reported, since the HHS breach notification rule took effect in 2009 -- behind the Anthem and Premera cyberattacks. Other information swiped by hackers included member names, dates of birth, medical claims data, financial account information, addresses and phone numbers.

[See also: Hackers swipe data of 4.5M at UCLA Health System in massive cyberattack.]

The 10.5 million people who had their data stolen include members, patients and others who did business with the following health plans: BlueCard members; BlueCross BlueShield of Central New York; BlueCross and BlueShield of the Rochester Area; BlueCross BlueShield of Utica-Watertown; and Excellus BCBS.

"We sincerely regret the frustration and concern this incident may cause," wrote Excellus BCBS President and CEO Christopher C. Booth, in a statement. "We want you to know that protecting your information is incredibly important to us, as is helping you through this situation with the information and support you need."

Health plan officials said it would be extending identity theft protection to affected individuals for a two-year period.

To date, nearly 143.8 million people have had their protected health information compromised in a HIPAA privacy or security breach, according to data from the Department of Health and Human Services. Cyberattacks and hacking-related events have impacted nearly 110 million of that total, close to 77 percent. 

The Excellus cyberattack notification comes in the wake of a string of attacks reported this year, the largest being the hack at Anthem, which compromised the data of nearly 79 million people.

[See also: Anthem hack: 'Healthcare is a target'.]

When discussing the Anthem breach this February, Kevin Johnson, chief executive officer of the security consulting firm Secure Ideas, who has done extensive work for insurance companies as a consultant and a security administrator, told Healthcare IT News: "I have never found an insurance company that required a sophisticated attacking incident," said Johnson. "Period." Although he has not worked with Anthem before, Johnson said they're all very similar in that they have behemoth networks and "tons of systems" that make it challenging from a security perspective.