Up to 11M Affected By Premera Blue Cross HIPAA Breach

The Anthem data breach rocked the healthcare industry, but it would appear was just the shape of things to come as hackers have just caused a Premera Blue Cross HIPAA compliance breach, and this time they obtained healthcare data.

Premera Blue Cross HIPAA Breach Affects 11 Million Members

The latest HIPAA data breach to be reported potentially affects up to 11 million health plan members of Premera Blue Cross including members of Premera Blue Cross Blue Shield of Alaska and two of its affiliates: Connexion Insurance Solutions, Inc and Vivacity.

The cyberattack on Premera Blue Cross occurred on May 5, 2014, although it took the company over 8 months to discover hackers had compromised its computer network. The intrusion was identified during a routine security audit on January 29, 2015.

The Anthem data breach may have exposed the most data of any healthcare security incident, but the Premera Blue Cross HIPAA breach is the largest healthcare data breach ever reported. Hackers were able to obtain a virtual smorgasbord of data that could be used to commit medical, insurance and identity fraud.

According to a recent announcement by the insurer, that data included the names of members and applicants; contact information such as addresses and telephone numbers; Social Security numbers; health plan identity numbers; claims information; clinical information and bank account details.

Not only is the scale of the heist astonishing, so is the sheer volume of highly personal data they were able to obtain.

Breach Notification Letters Being Dispatched

Premera announced that it is now sending notification letters to all affected individuals as required by the HIPAA Breach Notification Rule. These must be sent within 60 days of the discovery of the breach although this only happened from today, according to the notice.  It is not clear why it took the insurer so long to start sending letters to the affected individuals.

Jeff Roe, Premera President and CEO – himself a victim of the latest incident having had his data stolen – issued a statement to reassure plan members in which he advised members that he appreciates their frustration. He also reiterated that data privacy and security is a main priority at Premera and that all is being done to deal with the situation and mitigate any damage.

“As much as possible, we want to make this event our burden, not yours, by making services available to protect you and your information moving forward,” he said. “All of us here at Premera have been affected by this attack and we understand and share your concerns. Please know that we’re committed to making sure you get the tools and assistance you need to help protect you.”

All individuals affected by the Premera Blue Cross data breach are being offered two years of credit protection services to mitigate any damage caused by the incident.

A Wake Up Call for the Healthcare Industry

Unfortunately for the healthcare industry, security experts are warning that the Premera Blue Cross HIPAA breach is unlikely to be the last multi-million-record hacking incident to be reported this year. This breach should serve as a wakeup call to the healthcare industry that the threat of cyberattack is very real; as are the costs caused by a breach.

The threat from cybercriminals is at an all time high and many healthcare organizations may discover, like Premera, that prevention methods are ineffective if hackers are already have access to the network.

Since both Anthem and Premera were attacked many months before the breach was discovered, it is feared that many other healthcare providers may have suffered similar breaches. A full security audit including a detailed review of PHI access logs should be conducted to check for successful intrusion attempts and any data transferred outside of the network. Defenses against hackers should also be reinforced in light of the recent data breaches.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news