Millions of Americans are at risk today due to a newly disclosed data breach at health insurance provider Premera.
The Premera breach—reported to affect up to 11 million people—involves multiple brands, including Premera Blue Cross, Premera Blue Cross Blue Shield of Alaska, and the affiliate brands Vivacity and Connexion Insurance Solutions. Premera also owns and operates the LifeWise brand; the LifeWise breach affects LifeWise Health Plan of Washington, LifeWise Health Plan of Oregon and LifeWise Assurance Company.
Premera stated that the data breach was first discovered on Jan. 29—just days before Feb. 4, when fellow Blue Cross brand Anthem disclosed that it had been breached. In the Anthem breach, 80 million customer and employee records were disclosed.
“Our investigation determined that attackers may have gained unauthorized access to personal information, but we have not determined that any information was removed from our system,” Premera stated on its Website.
Premera admitted that while the breach was only discovered in January, the initial attack likely occurred on May 5, 2014. Premera is now also working with the Federal Bureau of Investigation and FireEye’s Mandiant incident response division to investigate the incident.
“I recognize the frustration that the news of this cyber-attack may cause,” Jeff Roe, Premera president and CEO, said in a statement. “The privacy and security of our members’ personal information is a top priority for us.”
Todd Harris, director at security vendor Core Security, said he was surprised at how long it took Premera to respond and let their customers know about the data breach. He noted that Premera said the attack started in May 2014 and was discovered on January 29, 2015, meaning they waited 47 days to let their customers know that their personally identifiable information was stolen.
“During this time, their customers could have been taking measures to protect themselves, even if just changing their passwords,” Harris said.
Steve Grobman, CTO at Intel Security, said that while the full details on the Premera breach event aren’t yet clear, what is clear is that cyber-criminals are increasingly focusing on personal data held by health care organizations. Health care personal information can sell for 10 times the cost of stolen debit and credit card information, given that the latter is more perishable, Grobman explained.
“Personal informational contained by health care organizations isn’t likely to change, whereas stolen card numbers are cancelled soon after the theft is discovered,” Grobman said in an email to eWEEK.
Patrick Murray, vice president of products at security vendor Zimperium, said that there is enough of a trend to indicate that the cyber-attackers made a concerted push about a year ago to infiltrate health care companies, so it should not be a surprise if more disclosures of breaches are forthcoming from other health care companies. In 2014, a long list of retailers reported being breached in the months after Target first disclosed its data breach at the end of 2013.
After the Target retail breach was disclosed, the Backoff malware family was identified as being a leading risk for point-of-sale exploits.
It’s too early to speculate if a similar type of malware is at play in health care, Murray said. “Victims are careful not to release too much information about the cause of the breach to the public, which is what makes these attacks more difficult to protect against,” Murray told eWEEK.
It is understandable that a company would be protective about its security information, and in many cases, it takes months for them to even know themselves, Murray said. However, he added, it would be helpful for all verticals to share attack information in some anonymized way to protect others who may also be under a similar attack.
“The one encouraging thing about this event was that it appears these insurance companies were tipped off by Anthem’s attack through sharing information via HITRUST [Health Information Trust Alliance]. That is an effective method that should be used more frequently,” Murray said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.