14 DAY TRIAL // Personal information of as many as 11 million customers of health care provider Premera Blue Cross has been exposed for a period of 10 months, the company learned from the initial results of an investigation into a recently discovered cyber-intrusion.
The incident was discovered by Premera on January 29 and it was labeled as “a sophisticated attack.” According to forensic examination carried out by FireEye’s cyber-response unit Mandiant, the intrusion occurred on May 5, 2014.
Clients of multiple health insurance plans impacted
Details on how the company became aware of the intrusion have not been disclosed, but an official statement on Tuesday says that Premera Blue Cross, Premera Blue Cross Blue Shield of Alaska, and affiliate brands Vivacity and Connexion Insurance Solutions, Inc, are also suffering as a result of the attack.
Members of other Blue Cross Blue Shield plans seeking treatment in Washington or Alaska have also been affected, Premera says on a webpage created specifically for updates on this event.
During the investigation it was determined that the hackers could have accessed data belonging to members and applicants.
This may include social security numbers (SSN), names, dates of birth, email addresses, physical addresses, telephone numbers, member identification numbers, bank account details and claims data (clinical information, too); some of the data dates as far back as 2002.
The company added that the email addresses, personal bank account numbers or SSNs of other individuals who engaged in business activities with Premera have also been exposed.
Some of the people impacted are residents of Washington, where there are customers employed at large companies such as Microsoft, Starbucks and Amazon.
The intrusion lasted for too long
The malware that allowed unauthorized access to the confidential information has been removed from the computer systems of the company and steps have been taken to increase the security of the network.
"Healthcare and insurance organizations have a wealth of sensitive information and need to be held accountable when they fail to protect it. With this incident, we know that the dwell time was close to 3/4 of a year at 269 days," said Stephen Boyer, CTO at BitSight, a firm that provides security performance assessment services.
"In 2014, Verizon reported that the average organization took approximately 25 days to detect a breach, which is well beyond what it took Premera," Boyer added via email.
Jeff Roe, president and CEO of Premera, said that the company is trying to lower as much as possible the implications this event has for the customers.
To achieve this, the health care insurer offers the affected individuals free services for credit monitoring and protection against identity theft for a period of two years.
Letters have started to be delivered to affected customers on Tuesday, disclosing the incident and instructions on how to safeguard personal information.