Health insurer Premera Blue Cross said on Tuesday it was a victim of a cyberattack that may have exposed medical data and financial information of 11 million customers in the latest serious breach disclosed by a healthcare company.
It said the attackers may have gained access to claims data, including clinical information, along with banking account numbers, Social Security numbers, birth dates and other data in an attack that began in May 2014.
If the 11 million records number is borne out, it would be the largest breach reported to date involving patient medical information, according to security experts.
In a statement, Premera said it discovered the incident on January 29 and that the initial attack occurred on May 5, 2014. Curiously, the date of Premera’s discovery was the same as the date on which Anthem healthcare said it discovered a breach affecting its members.
The incident affected Premera Blue Cross, Premera Blue Cross Blue Shield of Alaska, and our affiliate brands Vivacity and Connexion Insurance Solutions, Inc.
Among the information stolen: Premera members’ names, dates of birth, email addresses, mailing addresses, telephone numbers, Social Security numbers, member identification numbers, bank account information, and claims information, including clinical information.
As was the case with Anthem, the incident also affected non-Premera members who belonged to other Blue Cross Blue Shield plans and sought treatment in Washington or Alaska.
Premera business partners and employees were also affected, the company said.
The Premera breach follows similar attacks on Indiana based Anthem and the hack of Community Health Systems last year. In both cases, so-called “advanced threat” type actors were suspected of being behind the incident.
That could be the case here. While the motive of the attackers isn’t known, stolen personal information fetches a high price on underground marketplaces, where it is used to fuel identity theft. It is also possible that Premera’s customers (or a subset of them) were the real target, and that the hack is a precursor to targeted attacks.
Reuters notes that of the 11 million records stolen, 6 million of the people whose accounts were compromised are residents of Washington state, where “customers include employees of Amazon.com Inc., Microsoft Corp. and Starbucks Corp.” Another name not on the list: Boeing, which shifted its headquarters to Chicago, but still has a huge presence in Washington State.