The Mountlake Terrace-based health insurer said it discovered the breach in January, but that it first occurred in May 2014. The company said it has begun mailing letters to potentially affected customers about the attack.

Share story

Premera Blue Cross said Tuesday that approximately 11 million customers may be victims of a cyberattack on the health-insurance company’s information-technology system.

Premera, based in Mountlake Terrace, said in a news release it discovered the attack on Jan. 29, but that it initially took place May 5, 2014.

The attack affects customers of Premera Blue Cross, Premera Blue Cross Blue Shield of Alaska, Vivacity and Connexion Insurance Solutions.

Premera said 250,000 customers of its LifeWise affiliate for Washington, Oregon and Arizona, as well as LifeWise Assurance were also affected.

Most Read Stories

Unlimited Digital Access. $1 for 4 weeks.

The company said the attackers may have gained access to customers’ information dating as far back as 2002, including names, dates of birth, Social Security numbers, addresses, bank-account information and claim information, including clinical information, according to the statement.

Washington state Insurance Commissioner Mike Kreidler said in a news release he is concerned about the six-week delay from when the company learned of the attack to when it was announced. But his immediate concern, he said, is that customers be notified as soon as possible.

Premera Blue Cross is the largest health-insurance provider in the state based on enrollment, and has more than 6 million current and former customers in Washington who could be affected by this breach.

“Premera has assured me that there is no evidence to date that any information was removed from their system or that any data has been used,” Kreidler said.

Most Read Stories

Unlimited Digital Access. $1 for 4 weeks.

In its statement, Premera said it was beginning to mail letters Tuesday to the approximately 11 million affected customers. The company said it is working with the FBI and the cybersecurity firm Mandiant to investigate the attack and fix the problem.

It also said it is taking additional actions to strengthen and enhance the security of its IT systems.

Eric Earling, vice president of corporate communications at Premera, said the company waited to announce the breach because it was advised to cleanse and secure the IT systems beforehand.

“We completely recognize the frustration and concern it can cause to know there may have been unauthorized access to information,” Earling said. “But there is no evidence that information was actually taken.”

The company is offering two years of free credit-monitoring and identity-theft-protection services to those who think they may have been affected by the breach.

Kreidler said in an interview that a routine examination team from his office was already on site at Premera and, with Tuesday’s disclosure, it will now investigate whether the company has done enough to prevent future breaches.

“It will be the beginning phases of something we’ll spend considerable time on in the coming weeks and months,” he said. “The team needs to examine the fix and make sure it will be reliable.”

This is the second major breach in the health-care industry in the past two months. Anthem, the second-largest U.S. insurer, in February disclosed it was hit by a cyberattack, which it also discovered Jan. 29.

That attack is estimated to have compromised similar information for 80 million customers, including information from some Blue Cross Blue Shield customers from all 50 states.

Although the Anthem breach did not include medical information, health-care data can be more valuable to cybercriminals than financial data because it has a longer shelf life, and criminals can use it to create a variety of false claims and records, said Paul Bantick, technology media and business-services underwriter at Beazley, a global crisis-management firm and cyber-breach insurer.

“In terms of credit cards, there’s a finite window,” said Bantick, whose firm has managed nearly 2,000 data-breach cases since 2009, including about 1,300 for clients in the health-care industry.

Data stolen from health insurers and hospitals typically fetch at least 10 times more than credit-card numbers on the black market, he added.

The FBI is investigating both the Premera and the Anthem breaches. Spokesman Joshua Campbell said the agency does not have any specifics to provide.

Because of the similarities between the attacks and the connection to Premera, Kreidler said regulators will be examining the “Blue system.”

“Anthem is the No. 2 insurer in the country … since they are both Blue plans, is that just a coincidence? Is there a pattern or a vulnerability? These are questions we want to find answers to,” he said.

Kreidler said his office routinely scrutinizes insurance companies’ vulnerabilities, but with the kind of sophisticated issues that have been coming up more recently, he recognizes his office needs to “be better at what we are doing right now.”

Premera has set up a dedicated call center for its members and other affected individuals, and more information can be found at www.premeraupdate.com.

For corporate victims of cyberattacks, Beazley’s Bantick said, preparation is key for limiting damage. A company should respond to a breach by first understanding how it happened, whether the company is still vulnerable and exactly which customers are affected. Then, companies must try to provide customers with “very clear messaging” to restore confidence.

Each situation is different, Bantick said, but responses typically can include setting up public call centers, providing regular information updates, and promising to restore customer-credit injuries or financial losses.

“The last thing you want to do is do something wrong that undermines your whole response so that you have to come back and start the whole thing again,” Bantick said.

That’s what happened to Target in late 2013. When news broke that hackers had stolen credit- and debit-card information of some 40 million customers, a Target spokesperson quickly issued a company statement that customers’ personal identification numbers, or PINs, were safe.

But that statement quickly proved false, as Target learned cybercriminals had figured out a way to decrypt scrambled customer PIN data.

The company had to retract its statement, further wounding Target’s brand and reputation, experts have said.