NEW YORK (MainStreet) — About 11 million customer records apparently have been stolen from Premera, the big Blue Cross provider in Washington state and Alaska, and - sources said - this breach may in fact be significantly worse than earlier breaches that involved higher counts of compromised customers - such as the 80 million records stolen in the huge Anthem breach announced last month.
“More detailed information about Premera customers seems to have been stolen,” said Trend Micro security expert Christopher Budd.
According to a statement posted by Premera, “Our investigation determined that the attackers may have gained unauthorized access to applicants and members’ information, which could include member name, date of birth, email address, address, telephone number, Social Security number, member identification numbers, bank account information, and claims information, including clinical information.”
Seattle-based Budd added that that news of the Premera breach “landed like a meteor in the Seattle tech community.” That’s because Premera has been a primary provider of insurance to employees at Microsoft, Amazon, and many other Seattle tech companies, a fact related by Budd (himself a former Microsoft employee) and reported by news service Reuters.
For those victims and millions more, the bad news multiplies. Apparently the Premera breach began in May 2014. It went undetected until January 29, 2015, the same day - coincidentally - that Anthem disclosed it had been attacked. Premera disclosed its breach on March 17, six weeks after it discovered it and over a year since it began.
Premera, in its announcement, stressed that it was the victim of “a sophisticated cyber attack.” Experts told Mainstreet that may well be true, because health care related information is believed to be much more valuable than credit card information. The number thrown out by security researchers is that healthcare data is ten times more valuable. Lysa Myers, a researcher at security company ESET, elaborated.
“From a criminal perspective, the data in a medical business is far more valuable than what they can find in almost any other kind of business – not only is there financial data, there’s often Social Security numbers and medical IDs that can be used for a greater range of more profitable frauds," she said.
The consequences may ultimately make a bigger splash, but medical ID fraud and identity theft tend to fly under the radar a lot longer than payment card theft, Myers added, as both banks and their customers tend to check their statements a lot more often than people check their medical records or credit reports.
Carl Wright, general manager at TrapX Security, emphasized that the kind of information that typically can be acquired in a hack into a health care company can be used to facilitate identity theft and "steal someone's entire indentity."
Budd also raised the frightening possibility that an energetic crook could use sensitive medical information to blackmail a victim. Has it happened? Not that anyone knows. Could it? Think of Claire Underwood from House of Cards and her abortion files. Would she pay? She is fiction, but the specter of paying to hide potentially compromising information is real.
Wright offered another, frightening scenario. What if a hacker discovered person X has cancer and he then emails various relatives - names gleaned from stolen files, probably under family medical history - with a link to an experimental cure. The hacker is posing as the victim, “Here, what do you think of this treatment?” How many recipients would click? And in that second, malware could be put on their computers that later lets the hacker gain entry into corporate networks.
Sounds scary? You bet. But it gets worse. That’s because the hackers’ identity, although currently unconfirmed, might be a Chinese government sponsored gang, said respected security blogger Brian Krebs, who added that it appears to be the same group that goes by the names Deep Panda and Group 72 and likely also penetrated Anthem. That claim is not validated, but Krebs is known for his meticulous reporting.
What to do if you were a Premera victim - or if you are swept up in the next big insurer breach, which many security professionals believe is coming? Ken Levine, CEO of security firm Digital Guardian, offered two steps: “Review your credit card and bank statements often. If you see charges you don’t recognize, contact the fraud department at your bank or credit card provider right away."
Levine continued: "Check your credit reports every few months. Monitoring your credit report is a good way to find out if someone has opened credit in your name. You’re entitled to a free report every 12 months from each of the three credit bureaus: Equifax, Experian and TransUnion.”
The good news for Premera victims is that the company has promised two years of free credit monitoring and identity theft protection from Experian, a recognized leader.
That will provide some comfort but the plain fact is, according to the researchers: if in fact as much information as many believe was stolen from Premera, this will be an ugly mess for many in Washington state for some months, and, other than real vigilance, there is no cure. Stay alert, assume the full medical file is in circulation and realize that self-protection is the only lasting defense in large breaches such as Premera’s.
—Written by Robert McGarvey for MainStreet