The cyberattack against Premera Blue Cross disclosed last week affects significantly fewer people than the Anthem hack revealed last month. But the hacked Premera data could have greater value and cause more damage to customers.
Premera, which claims 1.8 million members, discovered in January that a May 2014 cyberattack breached a system holding records for 11 million people, the company announced. The exposed records may have included clinical and financial records, in addition to personal information including addresses and Social Security numbers. Anthem had said it believes the theft of data on nearly 80 million of its customers and employees was limited to personal information.
Medical-record theft can be particularly costly for its victims. A February 2015 survey by the Ponemon Institute found that about two-thirds of medical-record theft victims said they had paid an average of $13,500 to resolve the theft.
Customers may be able to seek damages for identity theft that occurs years after the free identity theft protection Premera is offering has ended, said Ken Dort, a partner in the law firm Drinker Biddle & Reath who specializes in information technology. But the plaintiffs would have to prove that the theft was linked to the Premera hack, which could be difficult.
Premera spokesman Eric Earling said it's too early to know whether the breach will significantly affect the company's bottom line. He declined to say whether the Mountlake Terrace, Wash.-based insurer had a cybersecurity insurance policy. Anthem said its cybersecurity policy would limit the damage to its financial results.
“We have strong reserves to provide for our customers,” Earling said.
Though Premera is offering customers two years of free credit-monitoring and identity theft protection, that will do little to protect them against identity thieves who may wait a few years to use or sell the data. Plus, experts say, most credit-monitoring programs don't protect customers against the effects of medical identity theft, which can be far more harmful.
Premera said it hired Experian to provide credit-monitoring for affected customers.
Having an individual's personal, clinical and financial information gives identity thieves a more convincing profile, allowing them to engage in total identity theft, said Pamela Dixon, executive director of the San Diego-based World Privacy Forum. “The people who were exposed in this breach will have to be on guard for at least a decade,” she said.