Premera Blue Cross, a health-insurance company with millions of patients in the US, has just admitted that 11 million of its customers have been victims of a wide-ranging data breach. Stolen data includes Social Security numbers, bank account information, and clinical records. Oh crap.
According to a statement released today by Premera, the attack started in May 2014, and was only discovered on January 29th this year:
Our investigation determined that the attackers may have gained unauthorized access to applicants and members' information, which could include member name, date of birth, email address, address, telephone number, Social Security number, member identification numbers, bank account information, and claims information, including clinical information. This incident also affected members of other Blue Cross Blue Shield plans who sought treatment in Washington or Alaska.
Individuals who do business with us and provided us with their email address, personal bank account number or social security number are also affected. The investigation has not determined that any such data was removed from our systems. We also have no evidence to date that such data has been used inappropriately.
It's disappointing that it took Premera 47 days to tell its customers that some of their most sensitive information had been looted. Although the company seems to have used that time to work with the FBI in tracking down the source of the hacks, those were still valuable months when people could have taken steps to change passwords, or just keep a closer eye on bank accounts.
Speaking of the source of the hack: the FBI and Premera are not pointing any fingers. But the fact that Mandiant — a security firm specializing in Chinese cyberattacks — was brought in to do the investigation does its own finger-pointing. Add in that Chinese hackers were linked to the massive hack at Anthem last year, and the numbers start adding up.
If you're a Premera customer, there's no need to freak out quite yet. The company is offering credit fraud monitoring for the next year, and there's a few simple steps you can take to minimise the risk of identity fraud. It's probably also worth keeping a close eye on the website Premera has set up to keep customers abreast of further developments. [Krebs on Security]