Story updated at 8 p.m. EDT
Premera Blue Cross, a health plan in the Pacific Northwest, was hit with the second-biggest cyberattack in healthcare industry history, exposing the personal, financial and medical information of more than 11 million customers.
The Mountlake Terrace, Wash.-based company discovered the attack on Jan. 29, 2015. An investigation revealed that the initial attack occurred May 5, 2014. The breach affected Premera Blue Cross, Premera Blue Cross and Blue Shield of Alaska, and Premera affiliate brands Vivacity and Connexion Insurance Solutions.
Premera said that the company has not been able to determine if any data was removed from the company's systems and that there's no evidence records have been used inappropriately.
The revelation comes six weeks after Anthem, the nation's largest investor-owned Blues licensee, disclosed that hackers had stolen the records of nearly 80 million from its information technology system.
Information exposed in the hack dates to 2002. The company said the records could include members' names, dates of birth, Social Security numbers, mailing addresses, e-mail addresses, telephone numbers, member identification numbers, bank account information and claims information, including clinical information.
As with the Anthem hack, the Premera breach affects some customers of other Blues plans that participate in the national, reciprocal claims payment network called BlueCard, a Premera spokeswoman confirmed. The network is often used for members who travel out of their insurer's service area for care.
Premera Blue Cross is beginning to mail letters to affected customers offering two years of free credit monitoring and identity theft protection. The company also has established a call center and and a website, www.premeraupdate.com, dedicated to information about the breach.
"We at Premera take this issue seriously and sincerely regret the concern it may cause," Premera CEO Jeff Roe said in a statement. "As much as possible, we want to make this event our burden, not that of the affected individuals, by making services available today to help protect people's information."
If the ongoing investigation confirms that no data was removed from Premera's system, customers could be less at risk than Anthem's customers. But the company may be offering protection to customers because it can't be sure that is the case, said Mac McMillan, a healthcare security expert and founder of CynergisTek, an Austin, Texas-based security consultancy.
“It could very well be they can't prove the negative,” McMillan said. “They can't disprove that these people had access to that information.”
It's possible but not likely that the individuals could have downloaded the data from Premera's servers but left no evidence that they removed the data, MacMillan said. Stealing data without leaving a trace is difficult, he said, because usually only high-level administrators have the ability to eliminate audit trails.
Hackers also may have infiltrated the system without the intention of stealing data, McMillan said. Cyberattackers sometimes look for insecure systems and manipulate them to create bots that can be used in other cyberattacks, he said.
Premera has worked closely with the FBI and Mandiant, a cybersecurity firm, to investigate and remove the "infection created by the attack," the company said. An FBI spokeswoman said in a statement that Premera “quickly” notified the law enforcement agency about the attack but declined to give a specific time frame.
In the Anthem hack, the initial investigation indicated that members' bank or clinical records were not exposed. The inclusion of that information in the Premera breach makes it particularly disconcerting, said Pam Dixon, executive director of the World Privacy Forum, a San Diego based not-for-profit organization that pioneered research into the field of medical identity theft.
“The recent spate of advanced medical breaches show us that the word is out about the value of medical data, and the sophisticated level of criminals making these attacks,” Dixon said in a statement. “Patients need to be prepared and educated about both medical ID theft and phishing, and providers need to be honest about the risk of medical forms of ID theft.”
Cyberattacks are one of the least common ways that protected health information is exposed, but the episodes typically involve significantly bigger numbers of records.
Nearly three-quarters of the records exposed in healthcare breaches reported to HHS have been linked to cyberattacks, even though those attacks account for less than 10% of the breaches, according to a Modern Healthcare analysis of HHS data.
“(Hackers) clearly have an eye on these types of organizations who hold financial information, but also very sensitive healthcare information,” said Paul Bantick, an underwriter for cybersecurity insurer Beazley, which also provides services for organizations responding to attacks.
“The best way for these organizations to mitigate the damage,” Bantick said, “is to respond and contain it as best as you can.”
Follow Adam Rubenfire on Twitter: @arubenfire
Follow Joseph Conn on Twitter: @MHJConn