Premera Blue Cross has become the latest medical information casualty, suffering a data breach that has compromised medical and financial data of 11 million people.
The company offers insurance in the Pacific Northwest, in Alaska, Oregon, and Washington. Affected brands include Premera Blue Cross Blue Shield of Alaska, Vivacity and Connexion Insurance Solutions. Details are so far pretty skimpy, but it appears that attackers were able to infiltrate the company’s networks, gaining access to a range of subscriber information, including name, address, email address, telephone number, date of birth, Social Security number, member identification number, medical claims information and in some cases, bank account information.
The medical information compromise is of particular concern, researchers said.
“The Premera breach could be much worse for those who are victims as it includes not just information to commit credit fraud, but also medical fraud and potentially sensitive information about medical conditions,” said Tim Erlin, director of product management, IT security and risk strategy at Tripwire, in an email.
Dave Frymier, chief information security officer (CISO) at Unisys echoed the concern. “Breaches like this can literally create life-or-death issues for consumers,” he said. “If stolen health records are used by a criminal, fraudulently-purchased medical procedures are listed on the records of people who did not have the procedures, which can create critical medical issues in the future.”
Payment information was one segment that’s not affected, the company said. “Premera does not store credit card information for members, so your credit card information is not affected by this attack,” the company said in its website notice. “Our investigation has not determined that any information was removed from our systems and there is no evidence to date that any such information has been used inappropriately.”
The health insurance provider said that the compromise occurred in May 2014—but it didn’t discover the breach until January, some seven months later. Clearly, Premera did not have proper detective controls in place to identify that an attacker was inside the network, but Erlin points out evidence that it perhaps didn’t detect the breach at all.
“The fact both Anthem and Premera discovered the breaches on the same day indicates to me that it was law enforcement that tipped them off to the data being compromised,” he said. “I believe we will see other organizations that were also breached during this timeframe.”
This could be exacerbated by the fact that many of the security lapses found in one organization within a vertical are likely to appear in multiple organizations in that same industry. Also, criminal organizations tend to focus on an industry rather than individual companies, as the cost of purloined information ebbs and flows.
“Following the Anthem breach, we now have another healthcare breach at Premera, which makes sense since the black market value of medical records is so high,” said Jonathan Sander, strategy & research officer, STEALTHbits Technologies, in an emailed comment. “Medical records are rich in information that can be used for very profitable health care fraud as well as all the traditional scams that stolen data has powered.”
In any event, medical companies should be put on notice that they’re in the crosshairs, and take the appropriate steps to protect their consumers.
"Healthcare organizations need to recognize that all their systems must be secured using a unified approach, to prevent “weakest link” issues relating to security gaps or vulnerable systems,” said Ulf Mattsson, CTO at Protegrity, in an email. “Companies that have been hacked show that compliance does NOT equal security. We strongly urge healthcare organizations to not only follow HIPAA, HITECH, and other security rules, but go beyond them, as they are just a baseline or minimum of acceptable security."