It has happened again…this time to Premera Blue Cross (Premera). On March 17, Premera announced that it was the target of a “sophisticated cyberattack” where unauthorized users gained access to Premera’s IT systems and potentially the data of 11 million individuals. The initial attack is reported to have occurred on May 5, 2014 and was discovered by Premera on January 29, 2015.
Premera has stated that there is no evidence information was removed from its systems or that any such information has been used inappropriately. However, Premera is providing affected individuals with free credit monitoring and identity theft protection services. Premera has reported it is working with the FBI to investigate the cyberattack.
If this all sounds very familiar, that is because this attack is similar to the Anthem cyberattack we blogged about here last month. In fact, both Premera and Anthem learned of their respective cyberattacks on January 29. However, there are some key differences, both in the attacks themselves and the response of the affected entity:
- Notification dates: Both Anthem and Premera learned of their respective cyberattacks on January 29. However, Anthem began notifying affected customers and the media in mid-February, over a month earlier than Premera.
- Length of attack: Premera’s initial cyberattack occurred eight months before it was discovered; whereas Anthem discovered its cyberattack the month after it began.
- Data affected: Anthem reported that no actual medical information (e.g., claims information) were breached in its cyberattack. However, Premera stated that claims information, including clinical information, were breached.
It remains to be seen whether these differences in the notification dates, length that the cyberattack continued before it was discovered, and data impacted will affect how Anthem and Premera are treated and viewed by the OCR, state regulators, affected individuals, and the media.
We have also provided a summary of the facts that Premera has released to date on its cyberattack in the following Q&A:
What Premera-affiliated entities were affected by the breach?
This incident affected Premera Blue Cross, Premera Blue Cross Blue Shield of Alaska, and its affiliate brands Vivacity and Connexion Insurance Solutions, Inc.
This incident also affected members of other Blue Cross Blue Shield plans who sought treatment in Washington or Alaska.
Has Premera published information discussing the breach?
What type of information was breached?
Premera has reported that the affected data may have included name, date of birth, email address, telephone number, Social Security number, member identification number, bank account information, and claims information, including clinical information. Premera stated that credit card information is not affected because “Premera does not store credit card information for members.”
It is reported that the information involved dates back to 2002. Premera has stated that there is no evidence information was removed from its systems or that any such information has been used inappropriately.
When will affected individuals be notified?
Premera stated that it began mailing letters to affected individuals on March 17. It appears that Premera plans to notify all affected individuals by April 20, as it released an FAQ encouraging individuals to reach out to Premera if they believe they were affected but have not received a letter by April 20. Premera is providing affected individuals with two years of free credit monitoring and identity theft protection services, including identity theft insurance.
Premera has stated it will not email affected individuals regarding this attack and that affected individuals should be alert for scam or phishing emails claiming to be from Premera.