3 States to Probe Premera BreachLooking for Answers About Cause, Response
Three state insurance commissioners are launching a joint investigation into the recent cyber-attack against Premera Blue Cross, which exposed the personal data of 11 million individuals nationwide.
The investigation into the hacking incident is being led by officials in the state of Washington, where 6 million individuals were affected by the hack attack. Oregon and Alaska are also participating in the investigation of the breach that affected 250,000 and 80,000 individuals, respectively, in those two states.
Washington Insurance Commissioner Michael Kreidler says that the states will conduct a "market conduct examination" of Premera related to the breach. The examination will include on-site reviews of the insurer's financial books, records, transactions and how they relate to its activities in the marketplace, Kreidler explains in a statement.
While the exact scope of Premera's exam is still under discussion, the investigation may scrutinize all cybersecurity aspects of the breach; Premera's response to the breach and any corrective actions it has taken; and the financial impact of the breach on consumers, providers and Blue Cross company, Kreidler says.
As part of the review, the participating states will contract with a cybersecurity firm to help examine such issues as:
- When and how the data was breached;
- Whether the breach has been stopped, and if so, when;
- Type of data compromised;
- How the attack was able to succeed;
- Whether the company has taken effective steps to prevent a future attack.
Officials have not yet determined when the exam will be completed. "Depending on the complexity, exams can take several months to more than a year to complete," Kreidler says in his statement. A final report will be made available to the public.
In addition to the multistate examination of the Premera breach, an internal forensic investigation is under way at Premera by cybersecurity firm Mandiant, as well as a criminal investigation by law enforcement officials, including the FBI.
In a March 19 statement announcing the breach, Premera said the incident affected Premera Blue Cross, Premera Blue Cross Blue Shield of Alaska, and its affiliate brands Vivacity and Connexion Insurance Solutions, Inc. Members of other Blue Cross Blue Shield plans who have sought treatment in Washington or Alaska may also be affected, as well as members of Lifewise, an affiliate of Premera.
Premera says its investigation determined that the attackers gained unauthorized access to members' information, which could include names, dates of birth, Social Security numbers, mailing addresses, email addresses, telephone numbers, member identification numbers, bank account information and claims information, including clinical information. Data was not exfiltrated, the company says.
The Mountlake Terrace, Wash.-based health insurer says it discovered on Jan. 29 that cyber-attackers had executed a sophisticated attack to gain unauthorized access to its IT systems and data going as far back as 2002. The company says its investigation indicates that the initial attack occurred on May 5, 2014.
A Premera spokesman says the company waited six weeks to publicly announce the breach after discovering it in January because the insurer had been advised by investigators to first "cleanse" its systems and bolster security so that hackers would not wreak more damage in the interim.
Nonetheless, state insurance officials aren't happy about the delay. "I remain seriously concerned at the amount of time it took Premera to notify its policyholders of the breach," Kreidler says. "When you buy and use your insurance, you share your personal information with the company and you expect it to be protected during those transactions. When that trust is broken, it's our job to make sure consumers are protected and that companies are held responsible."
Officials in other states voiced similar notification concerns after Anthem Inc. announced on Feb. 4 that it had discovered a hacking attack that affected nearly 80 million individuals.
Ten state attorneys general sent a letter to Anthem on Feb. 10 to complain about the delay in the company sending out notification letters. Anthem posted information online on Feb. 13 instructing affected individuals on how they can sign up for two years of identity theft protection and credit monitoring (see AGs: Anthem Breach Notification Too Slow).
"We take the recent cyberattack at Premera very seriously," Kreidler says. "Insurance regulators across the country are on high alert given the recent breaches both at Premera and Anthem. And we will use every resource within our authority to ensure that consumers are protected and to see that insurers are responding appropriately."
Premera did not immediately respond to Information Security Media Group's request for comment on the multi-state investigation.