Web & Mobile Privacy Policy

This Website and Mobile Privacy Notice (“Privacy Notice”) tells you how Excellus BlueCross BlueShield, and its affiliates and subsidiaries (“Excellus BlueCross BlueShield,” “Excellus BCBS,” “us,” or “we”) collects and uses your information when visiting our website(s), including www.excellusbcbs.com, and mobile applications (“Website”).

  1. This Privacy Notice is integrated into our Terms of Use. By using our website and providing us with Personal Information, you agree to the practices described in this Privacy Notice and to the updates posted here from time to time. If you withdraw consent, you agree that despite withdrawal, Excellus BlueCross BlueShield may continue to use your Personal Information previously provided to use to the extent that we are legally or contractually obligated to do so and to the extent necessary to enforce any contractual obligations you may have to us. You also understand that by withdrawing your consent, we may no longer be able to provide you with access to certain aspects of the Website.
    If you consented to receiving email communications from Excellus BlueCross BlueShield, you will continue to do so unless you unsubscribe. You may choose to opt out or unsubscribe from receiving future marketing email messages from us. Each marketing email sent from us contains a link with instructions on how to remove yourself from our email list.

  2. Information We Collect About You

    In this Privacy Notice, when we use the term “Personal Information,” and except where a different definition is noted, we mean information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked to a consumer, directly or indirectly, as defined under applicable laws and regulations. Personal Information does not include information that is not covered by applicable privacy laws, including that which cannot be reasonably linked to a consumer (e.g., de-identified or aggregated data) or publicly available information.
    For us to operate our Website and in order for you to access certain services and restricted areas within our Website, or to respond to specific inquiries, Excellus BlueCross BlueShield may collect the following types of Personal Information: (A) Information You Provide To Us, (B) Information We Automatically Collect, and (C) Information We Receive From Third Parties. All of the Personal Information listed in (A)-(C) above, are detailed below, and hereinafter referred to as “Information.”

    1. Personal Information You Provide To Us

      In using our Website, you may provide us with Personal Information, including, without limitation, your legal name, address, telephone number, email address, health-related information, subscriber name or "screen name," and password used to access the services. We may also collect the email addresses of visitors that communicate with us via email; information provided by the visitor in online forums, registration forms, surveys, email messages, and other digital online features (including demographic and personal profile data). For certain products, we may allow certain members to pay their premiums online through a third-party website or mobile application. If you are eligible for, and choose to use, this feature, payment information, e.g. credit or debit card or bank account information, will be collected and transmitted by a third-party vendor for the sole purpose of processing your premium payments. The payment vendor is responsible for securely using and storing such credit or debit card or bank account information and for limiting access to this information to authorized users. We may also collect your Personal Information from your participation and registration in events and seminars, opt-in marketing selection/s and other event and marketing-related activities.
      You are responsible for ensuring the accuracy of the Personal Information you submit to us. Submitting inaccurate Personal Information or failing to maintain the accuracy of Personal Information that changes (for example, a change of email address) may disrupt your ability to use our services, may affect the information you receive from us, and may impact our ability to contact you. You can update your Personal Information at any time by logging into and visiting your user online account page or contact us at our Web Security Help Desk.  

    2. Personal Information We Automatically Collect

      Excellus BlueCross BlueShield also collects information about you from your visit to our Website including:
      • IP address;
      • Your geographic location generally, and with your consent, your precise geolocation;
      • Date and time of your visit;
      • Domain server;
      • Type of computer, web browsers, search engine used, operating system, or platform you use or web browser;
      • Data identifying the web pages you visited prior to and after visiting our Website; and/or
      • Your movement and activity within the Website, which is aggregated with other information.
      • Inferences drawn from any of the information identified above reflecting your preferences and characteristics.
      We use a few different technologies to collect this information:
      "Cookies" are small digital files that are transferred to your computer or smartphone's hard drive when you visit a website or click on a URL. Cookies allow us to operate and personalize the Website, assist with functionality of the website, to track your usage, and to deliver targeted advertisements to you. "Session Variables" are similar to Cookies except that they remain on our servers and are not transferred to your computer or smartphone. Usage of a Cookie or Session Variable is in no way linked to your name or address. Once you close your Web browser, the Cookie or Session Variable simply terminates. If you reject the Cookie or Session Variable, you may still use the Website.
      • Most web browsers automatically accept cookies, unless you have configured yours not to accept them. You can program your browser not to accept cookies, but if you do, you may not be able to use certain portions of the Website and the Website will not be able to customize certain functions according to your preferences.
      • Cookies are placed on the Website, but executed by third parties such as Google, Bing, Facebook, LinkedIn, and other ad networks. For more information about third party cookies and related advertising and how to opt-out of these practices with companies participating in industry self-regulation, please visit About Ads at http://optout.aboutads.info/ or the Network Advertising Initiative at http://optout.networkadvertising.org.
      “Web Beacons/Pixels” are graphic images or web programming code that may be included on the Website to help us count visitors to the Website, monitor how you navigate the Website or to count how many particular articles or links posted on the Website were actually viewed.
      • Our Website uses retargeting pixels from Google, Facebook and other ad networks. Please visit their websites for their privacy policies and consent and opt-out mechanisms, or visit sites that may help block ad tracking, such as About Ads at http://optout.aboutads.info/
      “Analytics” are tools we use, such as Ion by Rock Content and Google Analytics to help provide us with information about traffic to our Website. These services use the data collected to track and monitor the use of our Website, which it shares with other services and websites who use the collected data to contextualize and personalize the ads of its own advertising network. “Mobile Applications” and other mobile devices may provide certain device information if you access the Website through a mobile device, this may include information about your device, your phone number, and your physical location. You may opt-out of tracking and receiving tailored advertisements on your mobile device by some mobile advertising companies and other similar entities by downloading the App Choices app at www.aboutads.info/appchoices.
      We, or third party companies with whom we collaborate or hire to perform services on our behalf, may use your Personal Information to provide you with information that we believe may be useful to you, such as information about health products or services provided by or through us through permissible targeted advertisements. You may opt-out of receiving permissible targeted advertisements by visiting the Network Advertising Initiative at http://optout.networkadvertising.org.
      Some users engage a Do Not Track (DNT) setting to indicate a preference regarding tracking by advertisers and other parties. We do not respond to DNT signals.

    3. Personal Information We Receive From Third Parties

      We may collect additional Information about you from our affiliates, partners or vendors, or third party websites, and/or sources providing publicly available information, to help maintain and support your online account, as well as to maintain security, help prevent fraud, and for marketing, advertising, and other business purposes. We reserve the right to request any additional information necessary to establish and maintain your online account for use of the services and access to the restricted areas.
      The Personal Information we collect is covered by this Privacy Notice, and the information the third-party website collects is subject to the third-party website or the platform’s privacy practices. We encourage you to review the privacy statements of websites you choose to link to from Excellus BlueCross BlueShield so that you can understand how those websites collect, use, and share your Personal Information. Excellus BlueCross BlueShield is not responsible for the privacy statements or other content on websites outside of Excellus BlueCross BlueShield. You are responsible for reading those privacy statements on third party websites.  

    4. Personal Information We Receive from Your Health Care Providers and Other Sources

      In connection with services that involve medical diagnosis and treatment, we may collect health care records from your past, current, and future health care providers. This may include information about your diagnosis, previous treatments, general health, laboratory and pathology test results and reports, social histories, any family history of illness, and records phone calls and emails related to your health status contained in your health care records.  

  3. How We Use Personal Information

    We use and process your Personal Information above for things that may include, but are not limited to, the following:
    1. To administer health care benefits and for our health care operations. For example:
      • decide claim payment by asking you and/or your health care provider(s) for necessary information about services, or treatment;
      • work with other insurers to decide coverage;
      • bill for premiums which may include looking at your claim history;
      • answer customer and provider questions about benefits, enrollment and claims;
      • monitor quality of care and service to our customers which may include case management, and
      • perform utilization and cost containment review activities.
    2. Foster product development and research;
    3. Provide you information about enrollment and our services;
    4. To respond to your questions and inquiries;
    5. Communicate with you via email, text, Social Media Platforms, chat rooms, about information we believe you would be interested in and/or regarding our services, provided that you have not already opted-out of receiving such communications;
    6. Improve our Website and address any technical issues;
    7. Provide targeted advertisements to you;
    8. Analyze the use of the Website to improve our service offerings and produce anonymous or aggregated data and statistics that might help third parties develop their own products and service offerings;
    9. Customize the Website for your interests;
    10. Create an account;
    11. Provider customer services;
    12. Operate our business;
    13. Fulfill contracts we have with you;
    14. Allow you to participate in interactive features when you choose to do so;
    15. To the extent applicable, for processing your premium payments;
    16. Comply with our Terms and Conditions of Use (which is available on our Website);
    17. Comply with any applicable laws and regulations and respond to lawful requests; and
    18. For any other purposes disclosed to you at the time we collect your Information or pursuant to your consent.
    We also may need to use and disclose your Information to comply with our legal obligations. For example, we may provide your Personal Information to government officials and agencies as required by law, and our affiliates as part of business operations. When required by law, and in some other cases, we process your Personal Information after obtaining your consent.

  4. How Long We Keep Your Information

    We generally keep your Personal Information consistent with any applicable legal requirements. To dispose of Personal Information, we may anonymize it, delete it, or take other appropriate steps. Data may persist in copies made for backup and business continuity purposes for an additional period of time. We are under no obligation to store Personal Information indefinitely. We disclaim any liability arising out of, or related to, the disposal of your Personal Information.  

  5. Sharing Your Personal Information

    Excellus BlueCross BlueShield does not sell or share your Personal Information to third parties for monetary or other valuable consideration as defined under the California Consumer Privacy Act, to the extent applicable. However, we may share your Personal Information as set forth in this Privacy Notice.

    1. Aggregated Information

      We reserve the right to disclose to third parties’ data about your usage of our Website and any related services. Any information disclosed for this purpose will be in the form of aggregated data (such as overall patterns or demographic reports) that does not describe or identify any individual user, thus is not considered Personal Information.  

    2. Third Party Vendors

      We may work with other companies to help us conduct our business and require that they only use your Personal Information for the services contracted. For example, we may contract with:
      • benefits management companies for paying claims;
      • health care provider groups to assess quality and cost containment;
      • print, electronic or mail services for permissible marketing communications, advertising, customer communications and surveys;
      • audit or consulting firms for validating the integrity of our processes;
      • state and federal agencies as required by law;
      • other BlueCross BlueShield plans;
      • marketing service companies;
      • data processing parties; and
      • other business services.
      By using our Website you consent to our use of such companies for processing your Personal Information. However, such companies will not be authorized by us to use your Personal Information for any other purpose.

    3. Disclosure Information for Legal and Administrative Reasons

      We may disclose your Personal Information without notice: (i) when required by law or to comply with a court order, subpoena, search warrant or other legal process; (ii) to cooperate in investigations of fraud, intellectual property infringement or any other activity that is illegal or may expose us or you to legal liability; (iii) to comply with legal, regulatory or administrative requirements of governmental authorities (including, without limitation, requests from the governmental agency authorities to view your Information); (iv) to protect and defend the rights, property or safety of us, our subsidiaries and affiliates and any of their officers, directors, employees, attorneys, agents, contractors and partners, and the Website’s users; (v) to enforce or apply the Website’s Terms and Conditions of Use; and (iv) to verify the identity of the Website’s users.  

    4. Business Transfers

      Your Personal Information may be transferred, sold or otherwise conveyed to a third party where we: (i) merge with or are acquired by another business entity; (ii) sell all or substantially all of our assets; (iii) are adjudicated bankrupt or (iv) are liquidated or otherwise reorganize. You consent to any and all such conveyances of your Personal Information.  

    5. Protected Health Information

      We may transfer your Protected Health Information (“PHI”) as described in our Notice of Privacy PracticesOpen a PDF and as permitted under federal HIPAA regulations and applicable state law.  

    6. Safety and Security

      We may share your Personal Information to protect the safety and security of our users and customers, to prevent fraud, abuse, or unauthorized activities, to protect the rights of property of us, third parties, you, or others, including enforcing the terms of our agreements.

    7. Business Purposes

      We may share your Personal Information to fulfill our everyday business purposes.

    8. With Your Consent

      We may share Personal Information consistent with this Privacy Notice with your consent.

    9. Lawful Purpose

      For other purposes permitted by law.

  6. Consumer Rights for Certain Individuals Based Upon Where You Live

    If you are a user residing in an applicable jurisdiction that provides you certain data privacy rights, you may have the right to make a request regarding your Personal Information.
    1. Right to Know/Access: The right to request that we disclose to you the Personal Information we have collected about you.
    2. Right to Request Correction/Ratification: The right to request that we correct inaccurate Personal Information that we maintain about you, if any.
    3. Right to Request Deletion/Erasure: The right to request that we delete your Personal Information that we have collected from or about you.
    4. Right to Opt Out/Withdraw Consent: The right to opt out of the sale or sharing of Personal Information or opting out of processing of your Personal Information obtained from your activities on nonaffiliated websites or online applications for the purposes of targeted advertising. You may also object to automated decision making.
    5. Right to Object To, Limit Use and Disclosure/Restrict Processing: The right to limit the use and disclosure of Personal Information, including transfers of your information to other parties.
    6. Right to Data Portability: The right to receive the Personal Information collected in a format easily understandable and in a usable format.
    7. Right to Non-Discrimination: The right not to receive discriminatory treatment for exercising your privacy rights.
    8. Right to Limit the Use of Sensitive Personal Information: Applies only to California consumers; “Sensitive Personal Information” includes, but is not limited to, information such as financial account information, credit card numbers, precise geolocation, racial or ethnic origin, citizenship, or immigration status.
    To make these requests please send an email to Our Corporate Privacy Office at privacy.officer@excellus.com.
    The requests above will be considered and responded to in the time period stated by applicable law. Note, certain Personal Information may be exempt from such requests. We may require additional information from you to confirm your identity in responding to such requests. You have the right to lodge a complaint with the authorities applicable to you and your situation, although we invite you to contact us with any concern as we would be happy to try and resolve it directly. Please contact the Corporate Privacy Office by: writing to us at 333 Butternut Drive, Syracuse, NY 13214-1803, or emailing us at privacy.officer@excellus.com.
    Designated Agent: You may designate an agent to make a request on your behalf. That agent must have access to your account in order for us to verify the request. You may make such a designation by providing the agent with written permission to act on your behalf. We will require the agent to provide proof of that written permission. As permitted by law, we may require you to verify your own identity in response to a request, even if you choose to use an agent.
    Please note that we reserve the right to not delete your Personal Information if it is necessary to:
    • complete the transaction for which the Personal Information was collected;
    • provide a good or service requested by you, or reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform a contract between you and us;
    • detect security incidents, protect against malicious, deceptive activity, and take all necessary and appropriate steps to mitigate current and future risk;
    • debug and repair internal information technology as necessary;
    • undertake internal research for technological development and demonstration;
    • exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law;
    • engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when our deletion of the information is likely to render impossible or seriously impair the achievement of such research, provided we have obtained your informed consent;
    • enable solely internal uses that are reasonably aligned with your expectations based on your relationship with us;
    • comply with an existing legal obligation; or
    • otherwise use your Personal Information, internally, in a lawful manner that is compatible with the context in which you provided it.

  7. Artificial Intelligence

    We may integrate Artificial Intelligence (“AI”) and associated technology into our services and operations. Please note all use of AI is monitored and reviewed by a human.

  8. Third Party Websites

    This Privacy Notice does not apply to any Personal Information that you may provide to unaffiliated third parties, for example, other websites linked to this Website with whom we do not have a relationship. If you access our Website from a third party website (“Third Party Website”), you may be required to also read and accept the terms and conditions and privacy notice of that Third Party Website. We are not responsible for the privacy and security practices of those websites and you should contact such third parties directly to determine their respective privacy notices. Links to any other Third-Party Websites or content do not constitute or imply an endorsement or recommendation by us of the linked website or content. This Privacy Notice does not apply to any Personal Information that you may provide to other websites linked to our Website.  

  9. Our Right to Contact You

    We may contact Website visitors regarding account status and changes to the subscriber agreement, privacy statement, or any other policies or agreements relevant to site visitors and for marketing and advertising purposes. You agree that we may contact you by way of text, email, or telephone. Our Mobile SMS Terms of Use are available at, https://news.excellusbcbs.com/compliance/privacy-policy/text-messaging.  

  10. Right to Change This Privacy Notice

    If we alter our Privacy Notice, we will post those changes here in a timely manner so you can be aware of changes that may affect you. Any change to this Privacy Notice shall be effective as to any visitor that has accepted the Excellus BlueCross BlueShield Website Terms and Conditions before the change was made.  

  11. Children

    The Website is not intended for children under the age of eighteen (18). Minors who are enrolled in our insurance plans are only permitted to access the Website with a legal guardian. We will not knowingly collect or use any Personal Information regarding a user under the age of eighteen (18) without the consent of a parent or legal guardian. If you believe that we have unintentionally collected Personal Information about those under the age of eighteen (18), please contact us at our Web Security Help Desk.  

  12. Security of Your Personal Information

    We have implemented commercially reasonable security features to help prevent the unauthorized release of or access to Personal Information that has been received via the Website. Please be advised, however, that the confidentiality of any communication, information or other material transmitted to or from Excellus BlueCross BlueShield via web, mobile, or e-mail cannot be guaranteed. Accordingly, Excellus BlueCross BlueShield is not responsible for the security or confidentiality of information being transmitted via the Internet, the World Wide Web, mobile applications, or other global computer networks. Excellus BlueCross BlueShield will have no liability for disclosures of Personal Information due to errors in transmission or unauthorized acts of third parties. We do not guarantee that your Personal Information will not be misused or disclosed to third parties. We will not have any liability for misuse or disclosure of your Personal Information. If you believe that your username or password to your online account profile has been stolen, you are required to notify us so that necessary measures can be taken immediately by contacting us at our Web Security Help Desk.
    It is your responsibility to maintain the confidentiality of your log-in credentials and unique identifiers used to access the Website. You are also responsible for ensuring the accuracy of the Personal Information you submit to Excellus BlueCross BlueShield. Submitting inaccurate Personal Information or failing to maintain the accuracy of Personal Information that changes (for example, a change of email address) may disrupt your ability to use the Website, may affect the services you receive from us, and may impact our ability to contact you. You can update your Personal Information at any time by logging into and visiting your online account page.

  13. Protection of Member Health Information

    If you are a member of Excellus BlueCross BlueShield (and not someone visiting our Website only for informational purposes), then it is possible that you may also provide us with Personal Information that constitutes health information protected by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). Excellus BlueCross BlueShield is a Covered Entity under HIPAA. Accordingly, Excellus BlueCross BlueShield is covered by (and complies with) HIPAA regulations regarding the use and disclosure of members' health information for each health plan. Our Notice of Privacy Practices explains how we may use and disclose health information to carry out payment and health care operations and for other purposes that are permitted or required by law. "Health information" that is protected under HIPAA by health plans ("Protected Health Information") generally includes claims information and any other information that relates to an individual's past, present or future physical or mental health. This Privacy Notice applies to Personal Information that you provide to us for purposes of requesting medical care through the Website (“PHI”), and information that should not be PHI. The handling, use, and disclosure of PHI is described in our Notice of Privacy Practices but does not apply to information that is not PHI. This Privacy Notice supplements the Notice of Privacy Practices for PHI. If there is any conflict between this Privacy Notice and the Notice of Privacy Practices, the Notice of Privacy Practices will apply for PHI.  

  14. Data Storage and Transfers

    The Website is operated in the United States. If you are located outside of the United States, please be aware that Personal Information we collect will be transferred to and processed in the United States. By using the Website, or providing us with any Personal Information, you consent to this transfer, processing, and storage of your Personal Information in the United States, a jurisdiction in which the privacy laws may not be as comprehensive as those in the country where you reside and/or are a citizen. Portions of our site may be supported by a network of computers or cloud based servers in other jurisdictions. We do not represent that our Website is appropriate or available in any particular jurisdiction.
     

  15. Accessing and Updating Your Personal Information

    If you believe that any Personal Information collected and maintained by us about you is not correct or has changed, please send an e-mail message to our Corporate Privacy Office at privacy.officer@excellus.com explaining the correction or change. We also may provide web pages or other mechanisms through which you can correct or update the Personal Information we have collected and maintained.
    In accordance with our routine record keeping, we may delete certain records that contain Personal Information you have submitted through the Website. We are under no obligation to store such Personal Information indefinitely and disclaim any liability arising out of, or related to, the destruction of such Personal Information.
    Even if you ask us to delete your Personal Information, we may need to retain some Personal Information about you in order to satisfy our legal and security obligations. In addition, you should be aware that it is not always possible to completely remove or delete all of your Personal Information from our databases without some residual data because of backups and other reasons.
    We provide users with the ability to opt-out of receiving marketing and other communications from us, and to update, supplement, or delete Personal Information we have about them.  

  16. Questions and Additional Information

    Privacy Notice Questions

    Questions regarding Excellus BlueCross BlueShield's Privacy Notice may be directed to the Excellus BlueCross BlueShield Web Security Help Desk.

    By Mail

    Excellus BlueCross BlueShield Web Security Help Desk
    Re: Website Privacy Policy
    333 Butternut Drive
    Syracuse, NY 13214-1803

    By Phone

    1-800-278-1247 (TTY 711)

    Privacy Rights Questions

    Please contact Customer Care for questions. Members can call the number listed on the back of their member card.

    Privacy Complaints

    Questions and privacy complaints may be directed to the Excellus BlueCross BlueShield Corporate Privacy Officer.

    By Email

    Excellus BlueCross BlueShield
    Re: Corporate Privacy Officer
    333 Butternut Drive
    Syracuse, NY 13214-1803

    By Phone

    1-866-584-2313 (TTY 711)

    By Email

    privacy.officer@excellus.com

Last updated: July 7, 2025

 

GDPR Notification Content