A government audit of Premera Blue Cross revealed glaring vulnerabilities in the company’s cyber defenses in the weeks before it experienced a major data breach. As a result, five different lawsuits are alleging that the health insurer should be found negligent for the breach.
In March, it was revealed that Premera Blue Cross suffered a data breach that compromised the medical and financial data of 11 million people. Three weeks before that happened, federal auditors warned the company that its network-security procedures were inadequate.
Officials gave 10 recommendations for Premera to fix problems, saying some of the vulnerabilities could be exploited by hackers and expose sensitive information.
Also, that was last April—the company didn’t notify consumers of the digital break-in for months afterwards.
Now, Premera Blue Cross is facing five class-action lawsuits, filed in U.S. District Court in Seattle on behalf of Premera customers from Washington, Nevada and Massachusetts. They all claim that Premera was negligent, breached its contract with customers, violated the Washington Consumer Protection Act and failed to disclose the breach in a timely manner.
The suits say that Premera should be held financially responsible for any losses customers suffer, as well as award damages and restitution, according to the Seattle Times.
The company offers insurance in the Pacific Northwest, in Alaska, Oregon, and Washington. Affected brands include Premera Blue Cross Blue Shield of Alaska, Vivacity and Connexion Insurance Solutions.
Attackers were able to infiltrate the company’s networks, gaining access to a range of subscriber information, including name, address, email address, telephone number, date of birth, Social Security number, member identification number, medical claims information and in some cases, bank account information.
"Premera unfortunately encountered the Achilles heel of lax passwords,” said Muddu Sudhakar, CEO of Caspida, in an email. “But the problem does not reside with the users—we should always assume that users are lax on passwords. And asking users to keep improving passwords is not a scalable approach for cyber-defense.”
The problem instead lies with the company itself, for failing to implement next-generation cybersecurity defenses against cybercriminals and nation state attacks, he added. To defend against these types of attacks, organizations need to add a next-generation cyber defense layer to proactively monitor all user and non-user accounts.
“For Premera and other enterprise organizations, password weakness is a constant pain point that will continue to fester until we move beyond usernames and passwords with things like biometrics,” he said. “Enterprises can make the best of a bad password situation, but can also insulate themselves against the threats that slip through using compromised credentials.”
Also, early breach detection strategies can look for signals indicating threats such as malware, APTs and insider attacks.
“The signal data is there, but combing through the signal data in real-time with new analytics can provide early breach detection that looks for online account takeover, privilege escalations and account monitoring,” Sudhakar said.