US health insurance firm Premera Blue Cross has revealed its IT systems were breached, exposing the financial and medical records of 11 million customers.
Premera Blue Cross said it discovered cyber attackers breached its systems in January 2015. An investigation showed the first attack took place in May 2014.
News of the breach came six weeks after fellow US health insurer Anthem revealed a data breach had hit its systems, affecting 80 million customers and employees.
Security experts predict cyber attacks on health care organisations will grow because of the rich set of personal data they hold.
Premera says it is contacting all customers affected by the attack – but many have criticised the company for taking nearly seven weeks before raising the alarm.
Anthem was praised for alerting customers and employees about its breach within a week of discovering it.
Premera said FireEye’s Mandiant cyber security team is removing malware from company systems and investigating the breach alongside the FBI.
Read more about data breaches
- More than 70% of executives say their organisations do not understand fully the risks associated with data breaches.
- Most large enterprises already know much of what they need to put in place to protect themselves against data breaches – they just have not done it all.
- As data breaches mount, the C-suite is being pressed to take part in enterprise security.
Sensitive personal data breached
Premera said it is also taking action to strengthen and enhance the security of the company’s IT systems.
Affected brands include Premera Blue Cross, Premera Blue Cross Blue Shield of Alaska, and affiliate brands Vivacity and Connexion Insurance Solutions.
Premera said its investigation showed attackers may have gained unauthorised access to applicants’ and members’ information.
This data could include names, dates of birth, email addresses, addresses, telephone numbers, social security numbers, member identification numbers, bank account information and claims information – including clinical data.
Although fewer records were exposed than in the Anthem breach, the Premera breach could have a much greater impact because it includes medical information.
Medical data can be more valuable to cyber criminals than financial information because it remains valid for a longer period of time and can be used to create false claims and records, say security experts.
The company said individuals who do business with Premera and provided their email address, personal bank account number or social security number are affected.
Premera takes measures to mitigate customers' data breach
But Premera said the investigation has not determined that any such data was removed from its systems, and there is no evidence that such data has been used inappropriately.
In addition to alerting customers affected by the breach, the company is providing two years of free credit monitoring and identity theft protection services.
Premera has set up a dedicated callcentre for members and other affected individuals.
“I recognize the frustration that the news of this cyber attack may cause. The privacy and security of our members' personal information is a top priority for us,” Premera president and chief executive Jeff Roe said in a statement.
“As much as possible, we want to make this event our burden, not yours, by making services available to protect you and your information moving forward.”
Richard Blech, chief executive of security firm Secure Channels, said the Premera breach demonstrated the failure of flawed, outdated assumptions.
The importance of encrypting sensitive data
“These include an over-reliance on ‘guard the door’ entry point security and simplistic single-key encryption schemes – a quaint and dangerous approach to a 21st century problem,” he said.
To be an entrusted safe-keeper of private and sensitive consumer information, Blech said an insurer or provider has to protect said data by encrypting it.
"Responsible insurers and care providers are attuned to the landscape of today’s technologies, increasingly pandemic threat landscape and the responsibilities and consequences that together help define their market,” he said.
Blech said security-as-an-afterthought is not a plan. “Likewise, security at a few single points in the infrastructure is not an answer, it’s an invitation.”
He said that, while there may not be a sustainable way to prevent intrusions, personal data can be secured by encrypting it to the highest levels.
“With advanced and unhackable encryption, the hacker is left with a bunch of useless bits and bytes. The alternative is to continue to leave sensitive data readable – thus hackable – leaving organisations and their patients truly vulnerable," said Blech.