According to a statement released by Premera, the attack began in May 2014 and was discovered on January 29 of this year, the same day that health insurer Anthem disclosed their own breach. While Premera spokesman Eric Earling stated that the two attacks were unrelated and that his company had identified the breach independently, experts suggest that both companies were attacked using similar methods. This may indicate that a single party may have been behind both the Anthem and Premera hacks.
On the Premera website they stated, “Our investigation determined that the attackers may have gained unauthorized access to applicants and members’ information, which could include member name, date of birth, email address, address, telephone number, Social Security number, member identification numbers, bank account information, and claims information, including clinical information.”
Unlike the Anthem breach in this attack medical information was accessed making this the largest data breach involving medical information reported to date.
Overall the attack affected members of Premera Blue Cross, Premera Blue Cross Blue Shield of Alaska and affiliated brands Vivacity and Connection Insurance Solutions. Members of other Blue Cross Blue Shield plans who have sought treatment in Washington or Alaska may also be affected.
The insurer said that so far its investigation, conducted in cooperation with the FBI, has found no evidence that any data was removed from their systems or used inappropriately. They are offering two years of free identity theft and credit monitoring services to affected individuals.
Reuters reported that officials expect that other health insurance companies will find that they are victims of similar intrusions as they check for breaches following this attack. “I think other insurance providers are compromised today and we still don’t know it,” Dave Kennedy, an expert in healthcare security and chief executive of TrustedSEC LLC said. “More and more are going to disclose attacks.”
For members whose data might have been compromised, Premera’s 47-day gap between discovery and disclosure of the breach may be a source of disappointment. While Premera took that time to work with the FBI and launch an investigation, there were still a number of weeks when affected individuals were in the dark and unable to take any steps to protect themselves from the possible repercussions of the data breach.
Customers who believe they may be at risk should keep an eye on Premera’s website for updates. Premera is mailing letters to anyone whose information may have been accessed during this attack. They should also check bank records and credit reports for suspicious activity and change the passwords of their email and online health insurance accounts.