Premera Blue Cross revealed Tuesday it was hit by a sophisticated cyber attack potentially exposing personal data for approximately 11 million of its members including members, employees and others with whom it does business, dating back to as early as 2002.  The insurer said its investigation revealed the initial malware attack occurred on May 5, 2014, and access went undetected until January 29, 2015.  This breach adds to the growing list of hacks against health care companies and should again be an alert that systems must be adequately protected from sophisticated hackers.

Premera determined that hackers could have gained unauthorized access to applicants’ and member’s information, possibly including names, addresses, dates of birth, Social Security numbers, bank information and clinical information.  Premera stated that there is no evidence thus far that any of the data has been used illegally.

Premera is sending out letters to its customers, offering two years of free credit monitoring and identity theft protection services to those affected. A call center also is being set up. The company said it is working with the FBI and the cybersecurity firm Mandiant to investigate the attack and fix the problem.

As we discussed in a recent client alert, proactive HIPAA compliance efforts can reduce and mitigate the risk of future losses due to HIPAA and HITECH violations and breaches. It is clear from the recent cyber attacks that health care companies are significant targets.  Companies with relationships with these type of providers should carefully review their notification obligations and ensure that adequate risk allocations in connection with breaches are included in agreements going forward.