It's turning out to be a problematic year for health insurance IT management. Another Blue Cross insurer company has been hacked, and this time it seems that subscriber medical information was exposed.
Premera Blue Cross, the parent of health plans in Alaska, Oregon and Washington, revealed that it was the victim of a "sophisticated cyber attack" at the hands of hackers who entered the company's IT systems and may have accessed data on 11 million past and present customers.
The attacked initially occurred May 5, 2014, but was not noticed until this January. Premere is still assessing the damage, and is working with the Federal Bureau of Investigations and retaining the cyber security firm Mandiant to "investigate the attack and cleanse our IT system of the infection created by that attack."
"Our investigation determined that the attackers may have gained unauthorized access to applicants and members' information, which could include member name, date of birth, email address, address, telephone number, Social Security number, member identification numbers, bank account information, and claims information, including clinical information," said Premera, based in Mountlake Terrace, Washington.
The hacking also affected Premera's for-profit subsidiary, LifeWise Health Plan, in Oregon and Washington, as well as members of other Blue Cross Blue Shield plans received treatment in Washington or Alaska.
"It's important to note that our investigation has not determined that data was removed from our systems," the company said. "We have no evidence at this point that any of the data that may have been accessed during this attack has been used inappropriately."
Nonetheless, all Premera customers will receive two years of free credit monitoring and identity protection services from Experian. "As much as possible, we want to make this event our burden, not yours, by making services available to protect you and your information moving forward," said Premera CEO Jeff Roe. "All of us here at Premera have been affected by this attack and we understand and share your concerns."
The Premera is second major health insurance hacking unearthed this year. Some 80 million past and present Anthem members and BCBS customers may have had their personal data exposed, possibly by Chinese intelligence mercenaries, according to ThreatConnect. While there is no evidence that the personal health information of Anthem customers was exposed, the Premera breach includes claims and related clinical information.
And Premera, it turns out, was warned about data vulnerabilities three weeks before being hacked. In April of 2014, the U.S. Office of Personnel Management's Inspector General found that Premera's IT system had insecure servers, lacked timely patch implementations and needed processes to "ensure that unsupported or out-of-date software is not utilized."
The two high profile breaches has left some security experts concluding that for both health insurers and healthcare providers, it is not so much a question of if but when a hack will occur--and whether it can be discovered early and mitigated. Some also think the Anthem and Premera attacks are related.
"The fact the breach went undiscovered for seven months indicates that the institution did not have
proper detective controls in place to identify an attacker was inside the network," said Ken Westin, security analyst for the Portland, Oregon-based cyber security company Tripwire. "The fact both Anthem and Premera discovered the breaches on the same day indicates to me that it was law enforcement that tipped them off to the data being compromised."
Other health insurers or providers could very well have been hacked in the past year, as well, Westin argued. "Organized criminal syndicates targeting this type of data, don't target one organization
they target an entire industry," he said. "Many of the vulnerabilities or security lapses found in one organization is likely to appear in multiple organizations in that same industry."
Others argue that healthcare organizations, and insurers in particular, need to adopt a new IT security paradigm: encryption.
The Premera breach "demonstrates the failure of flawed, outdated assumptions: over-reliance on 'guard the door' entry point security," said Richard Blech, CEO of Irvine, California-based Secure Channels. "To be an entrusted safe-keeper of private and sensitive consumer information, an insurer or provider has to protect said data by encrypting it."