US healthcare services provider Premera has confirmed that is suffered a sophisticated attack which compromised the personal information of members, employees and business partners.
In a statement, Premera president and CEO Jeff Roe confirmed that attackers gained unauthorised access to IT systems, which was discovered on January 29th and an investigation found that it occurred on May 5th, 2014. “As part of our own investigation, we notified the FBI and are coordinating with the Bureau’s investigation into this attack,” he said.
“Individuals who do business with us and provided us with their email address, personal bank account number or social security number are also affected. The investigation has not determined that any such data was removed from our systems. We also have no evidence to date that such data has been used inappropriately.”
The company confirmed that the incident affected Premera Blue Cross, Premera Blue Cross Blue Shield of Alaska and affiliate brands Vivacity and Connexion Insurance Solutions. Amongst the accessed data was names, dates of birth, email addresses, home addresses, Social Security numbers, member identification numbers, bank account information and claims information, including clinical information.
Roe said: “I recognise the frustration that the news of this cyber attack may cause. The privacy and security of our members’ personal information is a top priority for us. As much as possible, we want to make this event our burden, not yours, by making services available to protect you and your information moving forward.
“All of us here at Premera have been affected by this attack and we understand and share your concerns. Please know that we’re committed to making sure you get the tools and assistance you need to help protect you.”
Cris Thomas, technical manager at Tenable Network Security, said: “There are not a lot of details on this breach as to who might be responsible, but in the end ‘the who’ doesn’t really matter, security practitioners are much more interested in ‘the how’.
“The timing is interesting as it would appear to have occurred at the same time as the recent Anthem breach. One thing is for certain, assuming this was a breach for monetary gain, is that as it gets harder to monetise credit card details attackers are turning to medical files as a way to commit insurance and medicare fraud to turn their online activities into cash.”
Journalist Brian Krebs suggested that 11 million customers may be affected, and the FBI investigation is ongoing. “Cyber crime remains a significant threat and the FBI will continue to devote substantial resources and efforts to bringing cyber criminals to justice,” the FBI said in a statement to Krebs on Security.
Richard Blech, CEO of Secure Channels, said: “This news comes just six weeks after Anthem disclosed that hackers had stolen some reportedly lesser levels of information of nearly 80 million subscribers from its IT system.
“Patients are likely asking: Did you not have enough money or resources to acquire the necessary technology to do the job? Were you too busy charging premiums to your customers that protecting their sensitive data that you hold as unimportant?
“Meanwhile, shareholders and the technical community are likely asking: Didn’t you hear? Protecting PHI data (encryption) must be done at the inception of the content. Trying to ‘fix’ the problem after neglecting to protect sensitive patient clinical in the first place is comparable in many ways to post-exposure inoculation.
“Either PHI is important enough to protect or it is not. Security as an afterthought is not a plan. Likewise, security at a few single points in the infrastructure is not an answer, it’s an invitation.”